Title: Check Point Zone Alarm Srescan.SYS Multiple Local Privilege Escalation Vulnerabilities
Severity: HIGH
Description:
ZoneAlarm is a firewall and application security package designed for Microsoft Windows operating systems. It is distributed and maintained by Check Point.
Check Point ZoneAlarm is prone to multiple local privilege-escalation vulnerabilities.
The vulnerabilities reside in the IOCTL handling code of the 'srescan.sys' device driver, which contains the Spyware Removal Engine. The vulnerable device driver fails to properly validate userland-supplied addresses passed to IOCTL '0x2220CF' and '0x22208F'. The first control allows an attacker to supply a constant double-word value of '0x30000'. The second allows the attacker to write the contents of a buffer returned from 'ZwQuerySystemInformation'. This will allow local attackers to overwrite arbitrary memory.
On a default installation, only certain restricted accounts can access the affected device driver.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
Check Point Zone Alarm versions using ZoneAlarm Spyware Removal Engine (SRE) versions prior to 5.0.156.0 are vulnerable to this issue; other products using the vulnerable engine are reported vulnerable.
Affected Products:
- Zone Labs ZoneAlarm 2.1.0
- Zone Labs ZoneAlarm 2.2.0
- Zone Labs ZoneAlarm 2.3.0
- Zone Labs ZoneAlarm 2.4.0
- Zone Labs ZoneAlarm 2.5.0
- Zone Labs ZoneAlarm 2.6.0
- Zone Labs ZoneAlarm 3.0.0
- Zone Labs ZoneAlarm 3.1.0
- Zone Labs ZoneAlarm 3.7.0.202
- Zone Labs ZoneAlarm 4.0.0
- Zone Labs ZoneAlarm 4.5.0.538.001
- Zone Labs ZoneAlarm 5.1.0
- Zone Labs ZoneAlarm 5.5.0 .062.011
- Zone Labs ZoneAlarm 6.0.0
- Zone Labs ZoneAlarm Anti-Spyware 6.0.0
- Zone Labs ZoneAlarm Anti-Spyware 6.1.0
- Zone Labs ZoneAlarm Anti-Virus 6.0.0
- Zone Labs ZoneAlarm Antivirus
- Zone Labs ZoneAlarm Internet Security Suite 6.0.0
- Zone Labs ZoneAlarm Plus 4.0.0
- Zone Labs ZoneAlarm Plus 4.5.0.538.001
- Zone Labs ZoneAlarm Pro 2.4.0
- Zone Labs ZoneAlarm Pro 2.6.0
- Zone Labs ZoneAlarm Pro 3.0.0
- Zone Labs ZoneAlarm Pro 3.1.0
- Zone Labs ZoneAlarm Pro 4.0.0
- Zone Labs ZoneAlarm Pro 4.5.0
- Zone Labs ZoneAlarm Pro 4.5.0.538.001
- Zone Labs ZoneAlarm Pro 5.0.590 .015
- Zone Labs ZoneAlarm Pro 5.1.0
- Zone Labs ZoneAlarm Pro 5.5.0 .062
- Zone Labs ZoneAlarm Pro 5.5.0 .062.011
- Zone Labs ZoneAlarm Pro 6.0.0
- Zone Labs ZoneAlarm Pro 6.1.744.001
- Zone Labs ZoneAlarm Pro 6.5.737.000
- Zone Labs ZoneAlarm Pro 7.0.302.000
- Zone Labs ZoneAlarm Security Suite 5.1.0
- Zone Labs ZoneAlarm Security Suite 5.5.0
- Zone Labs ZoneAlarm Security Suite 5.5.0 .062
- Zone Labs ZoneAlarm Security Suite 5.5.0 .062.011
- Zone Labs ZoneAlarm Security Suite 6.1.737
- Zone Labs ZoneAlarm Security Suite 6.1.744 .000
- Zone Labs ZoneAlarm Security Suite 6.5.722
- Zone Labs ZoneAlarm for Windows XP 2.6.0
References:
- Check Point: Zone Alarm Homepage
- Rubén Santamarta: ZoneAlarm Advisory (Srescan.sys)
- Zone Labs: Zone Labs Homepage
- iDefense Labs: Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
