ZoneAlarm, ZoneAlarm Plus and ZoneAlarm Pro 4.0.0 versions; ZoneAlarm Pro 4.5.0; as well as Zone Labs Integrity Client 4.0.0 are vulnerable, the company said. Versions earlier than 4.0.0 are not. ZoneAlarm users are advised to upgrade to Version 4.5.538.001. (See the Zone Labs advisory for more details and how to obtain the upgrades.
The problem was described by eEye Digital Security on the BugTraq mailing list. The firewalls process SMTP (e-mail) traffic sent to or from the system. According to the description, a sufficiently large value in the SMTP "RCPT TO" command can overflow a stack-based buffer in the TrueVector Internet Monitor (vsmon.exe) process.
According to Zone Labs, "If successfully exploited, a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious codes privileges."
An attacker with local access and restricted privileges could invoke the attack by sending an e-mail with the overflowed RCPT TO command. The user could elevate his privileges to SYSTEM level, and a remote user could invoke the attack by manipulating the system into sending an e-mail with the overflow value.