Bugtraq mailing list archives
Re: 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.000
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 9 Mar 2006 18:42:20 +0300
Dear Reed Arvin, Having insecure directory in PATH is configuration bug, because PATH is expected way to search required dynamic libraries under Windows. In your very case, user can elevate privileges by simply overwriting binaries of Active Perl installation. In case Active Perl doesn't let you to place binary files in Program Files, you may report it as Active Perl vulnerability, otherwise, it's vulnerability of yourself. It's common practice to set security on any directory you create in disk root folder. --Thursday, March 9, 2006, 12:25:56 AM, you wrote to bugtraq () securityfocus com: RA> Exploitation Requirements: RA> First of all, you will need to have a directory that is writeable to a RA> lower level user, that is included in the Windows PATH environment RA> variable. As you saw above, I had ActiveState's ActivePerl installed RA> and it worked just fine. RA> Secondly, verify that the path you have chosen is definitely writeable RA> to a lower level user. On Windows 2000 operating systems the default RA> permissions for the root of the partition where the operating system RA> is installed is set as Everyone/Full Control. So, by default, RA> C:\Perl\bin is set to Everyone/Full Control. On Windows 2000 operating RA> systems a guest account can be used during the exploitation process. RA> On Windows XP, the C:\Perl\bin folder has special permissions set (by RA> default) for the local Users group that allows the creation and RA> modification of new files and folders. Perfect, that is all that is RA> needed. On Windows XP, an account in the local Users group can be used RA> during the exploitation process. RA> Vulnerable Versions: RA> Zone Labs ZoneAlarm Security Suite build 6.1.744.000 and possibly RA> earlier versions -- ~/ZARAZA http://www.security.nnov.ru/
Current thread:
- 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.000 Reed Arvin (Mar 08)
- Re: 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.000 3APA3A (Mar 09)
- <Possible follow-ups>
- Re: 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.000 reedarvin (Mar 09)