Local Exploitation of WCF Services within ZoneAlarm Anti-Virus Software to Escalate Privileges
General Overview
Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate to SYSTEM-level privileges. A service endpoint within ZoneAlarm exposes powerful functionality, including the ability to start new processes as SYSTEM. Efforts were made by the developers to ensure that only trusted processes could interact with the service. Trusted processes are identified using code signing, but on Windows it is possible for low-privilege users to sign code with a self-signed certificate and be trusted by the operating system. Thus, low-privilege users are able to interact with the service and run commands as SYSTEM.
Check Point’s ZoneAlarm anti-virus software is often cited among the top 10 most popular anti-virus applications, and as such, this vulnerability, before the patch was made available (here & here), affected millions of systems worldwide.
Furthermore, the vulnerability is an example of a class of vulnerabilities that exist within insecure implementations of Microsoft’s Windows Communication Foundation (WCF). Illumant is calling this bug class “OwnDigo,” a twist on the name “Indigo,” the former codename for WCF.
Illumant reported the vulnerability to Check Point, per Illumant’s responsible disclosure policy. Release of this information has been timed to ensure that a patch for this vulnerability is available from Check Point. We thank Check Point for their responsiveness in addressing this issue.
Additional Information:
Read the technical white paper.
View a video of the exploit in action.
Check out the exploit code on our GitHub repository.
Why it Matters
For systems running unpatched ZoneAlarm anti-virus software, this is a serious vulnerability. A low-privilege user on their own system that is not allowed administrator-level privileges (a security best-practice and a policy at many organizations) would still be able to escalate privileges through this vulnerability to attain SYSTEM-level control over their system, and potentially use that leverage to propagate an attack against other systems on the connected network.
Similarly, an attacker that is able to gain unauthorized access to a low-privilege user account on a system, through social engineering, password brute forcing, or any number of vulnerabilities, would have a path to privilege escalation that would vastly increase the leverage of the foothold they already have within the organization.
This type of privilege escalation vulnerability is an essential piece of an effective and impactful cyber-attack. Many cyber-attacks follow a similar pattern: gain a foothold on the network, escalate privileges, exfiltrate valuable information. This vulnerability could be utilized within this cyber-attack process.
Beyond the specifics of this vulnerability, this vulnerability is also an example of a broader class of vulnerabilities that likely affect many .NET applications that use WCF.
Concerns with WCF and Code Signing
The ZoneAlarm vulnerability targets a .NET service that runs as SYSTEM (the highest privilege level in Windows) and utilizes WCF to handle inter-process communications. Only processes that are signed by Check Point are allowed to communicate with this service.
Using code signing in this manner is inherently flawed. On Window systems, it is trivial for a low-privilege to trust self-signed certificates. These certificates can be designed to mimic those of legitimate software vendors (in this case Check Point) and to sign malicious code.
As a result, it is possible to create exploit code that communicates with the vulnerable ZoneAlarm service endpoint to run arbitrary code as SYSTEM, resulting in local escalation of privileges and full compromise of the system.
Recently, vulnerability research has focused more attention on the WCF attack surface. This ZoneAlarm issue is the latest example of a vulnerability within this lesser-known class of bugs.
Here are a few recent examples from Fabius Watson of other WCF vulnerabilities (@FabiusArtrel):
CVE-2018-13101 – KioskSimpleService Local Privilege Escalation
CVE-2018-10169 – Proton VPN Local Privilege Escalation
CVE-2018-10170 – NordVPN Local Privilege Escalation
CVE-2018-10190 – Private Internet Access Local Privilege Escalation
In addition, prior research has been published on code-signing flaws, notably by Matt Graeber (@mattifestation) of SpecterOps (see Code Signing Certificate Cloning Attacks and Defenses).
WCF and code-signing flaws represent a promising area for vulnerability researchers. Similarly, these flaws should be of concern for Windows application developers who aim to develop secure applications.
Concerns with Security Software
ZoneAlarm anti-virus, like other anti-virus software, is designed to protect users and their computers from dangerous malware and breaches. This issue, however, demonstrates the risk that anti-virus software can pose to system security. Anti-virus software must run at the highest privilege level to effectively protect systems against malware. Hence vulnerabilities in this software can be extremely dangerous.
In 2016, Google researcher Tavis Ormandy (@taviso) announced numerous critical vulnerabilities in Symantec’s suite of anti-virus products. This ZoneAlarm vulnerability demonstrates once again that security software vendors must be diligent about the security of their own products and applications.
Vulnerability Disclosure and Fixes
Illumant coordinated the timing of this press release with Check Point to ensure that a patch for this vulnerability was already published (here & here). ZoneAlarm users should ensure their anti-virus software is up-to-date.
Illumant credits Check Point for being responsive during the vulnerability disclosure process, taking security issues seriously, making bug reporting simple (through a form on their website) and quickly developing a fix for this bug to protect their customers.
Other software publishers should assess their own applications and implementations of WCF to ensure their software is not vulnerable.
Technical Overview
The ZoneAlarm vulnerability is critical because, like many other security applications, ZoneAlarm runs as SYSTEM. This level of privilege is necessary for security software, to allow these applications to have full access to information and control over the system to be able to protect it against malicious actors and code. But this elevated level of access also makes its own security vulnerabilities potentially critical.
In this case, the exploit targets a .NET service endpoint in ZoneAlarm, running as SYSTEM, that implements methods that can execute code and spawn processes. The service receives commands to execute code from other processes using WCF to handle communications. With only low-privilege access, an attacker can send commands to the vulnerable endpoint to instruct it to run arbitrary code on the machine, as SYSTEM, hence gaining full control and successfully escalating privileges.
Exposing such powerful functionality over WCF can enable dangerous attack vectors.
Steps were taken by the developers to attempt protection against this type of attack; however, the chosen protection measures were proven to be ineffective. It was intended that only code signed by Check Point be allowed to communicate with the vulnerable endpoint. However, on Windows, a low-privilege user can install a self-signed certificate and use it to sign malicious code. In this case, it is possible to sign code that for the purposes of ZoneAlarm appears to be signed by Check Point, allowing the malicious code to communicate and send commands to the vulnerable endpoint.
Securing Against OwnDigo
Developers wishing to secure their own applications should evaluate their susceptibility to this threat vector, as part of a complete review of the security of their application. Specifically, when utilizing WCF, ensure that powerful methods are not exposed to lower privilege users. Furthermore, bear in mind that code signing in Windows may not be reliable if an attacker already has local code execution.
About ILLUMANT
ILLUMANT provides network- and application-level vulnerability research, penetration testing and security assessments, as well as awareness training and security compliance services to companies of all sizes and verticals, including Fortune 500 companies, universities, health care providers, government institutions, startups and many others. Leveraging strategic and tactical risk management and information security expertise, Illumant partners with its clients to help them improve security, limit exposure, and achieve compliance and training objectives. ILLUMANT is a privately held company and headquartered in Palo Alto, California.