New Integrity Protection Driver (IPD) Available

From: Fernando Trias (fernando@PEDESTALSOFTWARE.COM)
Date: 12/03/02

  • Next message: Jan Rutkowski: "Bypassing Integrity Protection Driver (time vulnerability)" 
    Date:         Tue, 3 Dec 2002 13:13:34 -0500
From: Fernando Trias <fernando@PEDESTALSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Pedestal Software Security Notice

    Product: Integrity Protection Driver (IPD)
    Version: 1.2 and earlier
    Subject: New Integrity Protection Driver (IPD) Available
    Date: December 3, 2002
    Solution: Upgrade to version 1.3

    SUMMARY

        The Integrity Protection Driver (IPD) is an open source kernel
        driver for Windows NT and Windows 2000 that attempts to provide
        integrity to the Windows kernel by blocking kernel-altering
        device drivers, such as rootkits, from changing normal kernel
        function.

        A new version of the IPD has been released that corrects two
        vulnerabilities that circumvent the driver's protection.

        More information about the IPD, including its open source license,
        can be found at:

            http://www.pedestalsoftware.com/intact/ipd

    DETAILS

        Phrack 50-16 provides sample code for circumventing the IPD using
        an undocumented kernel function, NtCreateSymbolicLinkObject. This
        function could enable a process running as SYSTEM to access
        \Device\PhysicalMemory through an alternate alias name. Since the
        IPD attempts to block access to \Device\PhysicalMemory by name,
        accessing the device by a different name would not be blocked.

        Obtaining access to \Device\PhysicalMemory would enable read and
        write access to all of a computer's physical memory. An attacker
        could therefore overwrite portions of kernel memory with modified
        versions of their own code, which might prevent integrity
        checking programs like Intact from detecting system modifications,
        the presence of trojan horse programs or other hacker activity.

        The second vulnerability exists because of faulty driver
        engagement logic. The driver incorrectly relies on the system
        clock to determine whether the driver has engaged. Unfortunately,
        the system clock cannot be trusted and can be used to disengage
        the driver.

    PATCH AVAILABILITY

        Users of the Integrity Protection Driver are urged to upgrade to
        the latest version.

        The latest driver and source code may be downloaded from the
        Pedestal Software web site at
        http://www.pedestalsoftware.com/intact/ipd.

    CREDITS

        Phrack 59-16 by crazylord <crazylord@minithins.net>
        http://www.phrack.org/show.php?p=59&a=16

        Thanks to Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl> for
        telling us about the Time Vulnerability.

    ABOUT PEDESTAL SOFTWARE

        Founded in 1998, Pedestal Software is "enabling the next wave of
        information security" by making the deployment, management, audit,
        and control of a security policy efficient and cost effective.
        The company is privately held and maintains its headquarters in
        Norwood, Massachusetts. For additional information, please visit
        http://www.pedestalsoftware.com or contact us at (781) 239-8070.

    DISCLAIMER

        Pedestal Software is not responsible for the misuse of any of the
        information provided on this website and/or through security
        advisories. This advisory is a service to Pedestal Software
        customers intended to promote secure installation and use of
        Pedestal Software products.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • [Full-disclosure] [USN-95-1] Linux kernel vulnerabilities
      ... Ubuntu 4.10 ... The following packages are affected: ... Georgi Guninski discovered a buffer overflow in the ATM driver. ... the previous Ubuntu security update (kernel version ...
      (Full-Disclosure)
    • [USN-95-1] Linux kernel vulnerabilities
      ... Ubuntu 4.10 ... The following packages are affected: ... Georgi Guninski discovered a buffer overflow in the ATM driver. ... the previous Ubuntu security update (kernel version ...
      (Bugtraq)
    • Re: Saving Screen Capture
      ... Unless you have complete physical security and network, ... cannot effectively protect the pixels on the screen. ... it is there so if I download a driver and use it to "steal" what I've ... Note that it is not possible to run ordinary apps in the trusted core, ...
      (microsoft.public.vc.mfc)
    • Re: [Full-disclosure] Wachovia Bank website sends confidential information
      ... Driver walks into a dealer and speaks to customer service: ... conditions on a 90 degree slalom" says the driver. ... This Wachovia thread is pointless. ... So what, if you're a security ...
      (Full-Disclosure)