Researcher warns of privilege escalation flaw in Check Point ZoneAlarm

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Illumant researcher Chris Anastasio has discovered a serious vulnerability in Check Point’s security software.

Check Point Zone Alarm flaw

It affects ZoneAlarm Free Firewall and ZoneAlarm Free Antivirus + Firewall and, if exploited, it may allow a malicious user with low privilege access to escalate privileges to SYSTEM level.

WCF and self-signed code in the spotlight

The vulnerability is due to insecure implementation of services developed using Windows Communication Foundation or “WCF.” It targets a .NET service in ZoneAlarm that runs as SYSTEM and utilizes WCF to handle inter-process communications.

The application relies on code-signing to validate that code is legitimated and trusted before it is run. However, this measure is inherently flawed, because on Windows it is trivial for a low-privilege user to trust self-signed certificates and bypass these validation checks.

As a result, it is possible to create exploit code that communicates with the vulnerable ZoneAlarm service endpoint to run arbitrary code as SYSTEM, resulting in local escalation of privileges and full compromise of the system.

A specific class of vulnerabilities

This ZoneAlarm issue is the latest in a lesser-known class of vulnerability that exposes the WCF attack surface. Illumant has coined the term “OwnDigo” to describe this vulnerability class (the name is a twist on “Indigo”, the former codename of WCF.)

“In this case, we’ve exploited services in ZoneAlarm, but the methodology is applicable to many other programs,” said Chris Anastasio, Senior Security Analyst at Illumant.

“WCF is widely used in .NET applications, and initial research indicates that many other implementations are not adequately secured. In fact, other researchers have recently published similar vulnerabilities, and we have identified a few more of our own.”

For additional technical details about the vulnerability and a thorough description of how they discovered it and developed an exploit for it check out the technical whitepaper.

The company also provided a video demo of the exploit in action:

How to protect yourself

“This issue was reported to Check Point as soon as a working exploit was developed. Disclosure was easy compared to many other vendors,” the researchers noted.

“After the code was patched, we were asked to validate the fix. Their approach was simple and effectively made it impossible to reach the ExecuteInstaller method over WCF. Rather than try to make it difficult for unauthorized clients to interact with the service, it’s safer to simply not expose sensitive functionality over WCF.”

Check Point has released security updates that fix the vulnerability and users are advised to implement them if they haven’t already.

The researchers advised other software publishers to assess their own applications and implementations of WCF to ensure their software is not vulnerable.

“This is a stark reminder to the security software industry,” said Illumant co-founder Matija Siljak. “Security software manufacturers need to pay extra attention to the security of their own software lest their products become the vulnerability that allows for the propagation of cyber-attacks rather than the defense against them.”