Headline
CVE-2022-41604: Elevation of Privilege in ZoneAlarm Extreme Security
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. This occurs because of weak permissions for the %PROGRAMDATA%\CheckPoint\ZoneAlarm\Data\Updates directory, and a self-protection driver bypass that allows creation of a junction directory. This can be leveraged to perform an arbitrary file move as NT AUTHORITY\SYSTEM.
Our security expert, and hacker par excellence, Filip Dragović (OSCP | OSEP | CRTO | CRTP | CRTE | PACES), found a security flaw in Check Point ZoneAlarm Extreme Security. This vulnerability allows an attacker to escalate privileges on a computer where the aforementioned antivirus program is installed.
But it would be best if Filip himself said what it was all about:
This vulnerability allows local attackers to escalate privileges on hosts where the affected installation of Check Point ZoneAlarm Extreme Security is running. An attacker must first obtain the ability to execute low-privileged code on the target host to exploit this vulnerability.
This specific flaw exists due to weak privileges in C:\ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory and self-protection driver bypass which allowed creation of junction directory which was abused to perform arbitrary file move as NT AUTHORITY\SYSTEM account.
You can find more about all this, with descriptions, pictures, and examples, on Filip’s official Git.