[NT] DiamondCS Process Guard Can Be Disabled by Direct Service Table Restoration

From: SecuriTeam (support_at_securiteam.com)
Date: 07/07/04

  • Next message: SecuriTeam: "[NEWS] SCI Photo Chat Server Cross Site Scripting" 
    To: list@securiteam.com
Date: 7 Jul 2004 16:03:59 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      DiamondCS Process Guard Can Be Disabled by Direct Service Table
    Restoration
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.diamondcs.com.au/processguard/> DiamondCS Process Guard is
    "an advanced Win32 security system that protects both system and security
    processes (as well as user-defined processes) from attacks by other
    processes, services, drivers, and other forms of executing code on your
    system. The first program of its kind, Process Guard can protect a process
    against termination, suspension and prevents loading of malicious kernel
    drivers".

    Process Guard protects a running process by hooking several native APIs in
    kernel-space. However, an implementation flaw allows a malicious program
    to disable Process Guard's protection by restoring the running kernel's
    SDT ServiceTable with direct writes to \device\physicalmemory.

    DETAILS

    Vulnerable Systems:
     * Process Guard Free version 2.000

    Process Guard prevents a protected process from being terminated by
    hooking several native APIs in kernel-space. Hooking is performed by the
    module procguard.sys by replacing entries within the SDT ServiceTable. In
    addition, Process Guard prevents the installation of malicious kernel
    drivers by hooking ZwCreateKey and ZwSetValueKey. Hooking these two APIs
    prevents any programs from creating the necessary registry entries that
    are required to load a kernel driver or to install a service.

    It is possible to disable Process Guard's protection by restoring the
    running kernel's SDT ServiceTable to its original state with direct writes
    to \device\physicalmemory. Restoring the running kernel's SDT ServiceTable
    will effectively disable the protection offered by Process Guard. In other
    words, the processes that were being protected by Process Guard can now be
    terminated easily.

    Vendor response:
    Vulnerability will be fixed in the next release.

    Workarounds:
    Do not run untrusted programs as Administrator.

    Proof of concept:
     <http://www.security.org.sg/vuln/procguard.html>
    http://www.security.org.sg/vuln/procguard.html

    Disclosure timeline:
    23 Jun 04 - Vulnerability Discovered
    24 Jun 04 - Initial Vendor Notification
    25 Jun 04 - Initial Vendor Response
    07 Jul 04 - Public Release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:chewkeong@security.org.sg>
    Chew Keong TAN.
    The original article can be found at:
    <http://www.security.org.sg/vuln/procguard.html>
    http://www.security.org.sg/vuln/procguard.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] SCI Photo Chat Server Cross Site Scripting"

    Relevant Pages