Elevation of Privilege in ZoneAlarm Extreme Security


Our security expert, and hacker par excellence, Filip Dragović (OSCP | OSEP | CRTO | CRTP | CRTE | PACES), found a security flaw in Check Point ZoneAlarm Extreme Security. This vulnerability allows an attacker to escalate privileges on a computer where the aforementioned antivirus program is installed.

But it would be best if Filip himself said what it was all about:

This vulnerability allows local attackers to escalate privileges on hosts where the affected installation of Check Point ZoneAlarm Extreme Security is running. An attacker must first obtain the ability to execute low-privileged code on the target host to exploit this vulnerability.
This specific flaw exists due to weak privileges in C:\ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory and self-protection driver bypass which allowed creation of junction directory which was abused to perform arbitrary file move as NT AUTHORITY\SYSTEM account.

You can find more about all this, with descriptions, pictures, and examples, on Filip's official Git.