[NT] Prevx Home Intrusion Prevention Features can be Disabled by Direct Service Table Restoration

From: SecuriTeam (support_at_securiteam.com)
Date: 11/23/04

  • Next message: SecuriTeam: "[UNIX] PHPKit SQL Injection and XSS Vulnerabilities" 
    To: list@securiteam.com
Date: 23 Nov 2004 18:19:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Prevx Home Intrusion Prevention Features can be Disabled by Direct Service
    Table Restoration
    ------------------------------------------------------------------------

    SUMMARY

     <https://www.prevx.com> Prevx Home is a "state-of-the-art Host Intrusion
    Prevention Software that is designed to protect the user against the next
    Zero Day Hacker attacks, Internet Worms and Spyware Installation without
    expecting the user to perform constant updates to their system .

    A malicious program with administrative access can completely disable
    Prevx's security features by direct memory access.

    DETAILS

    Vulnerable Systems:
     * Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0 to SP2

    Immune Systems:
     * Prevx Home Version 2.0

    Prevx Home prevents malicious code from modifying critical Windows
    registry keys by prompting the user for action whenever such an attempt is
    detected. Examples of protected registry keys include the Run-key and
    Internet Explorer's registry settings. Prevx Home can also protect the
    system against buffer overflow exploits.

    Prevx Home's registry and buffer overflow protection feature is
    implemented by hooking several native APIs in kernel-space by modifying
    entries within the SDT ServiceTable. Hooking is performed by Prevx Home's
    kernel driver that replaces several entries within the SDT ServiceTable.

    It is possible to disable Prevx Home's registry and buffer overflow
    protection by restoring the running kernel's SDT ServiceTable to its
    original state with direct writes to \device\physicalmemory. Restoring the
     running kernel's SDT ServiceTable will effectively disable the protection
    offered by Prevx Home. In other words, the registry keys that were
    protected by Prevx Home can now be modified.

    Note: The original article has a proof of concept demonstration of this
    vulnerability.

    Vendor Status:
    The vendor has released a newer version which protects against such
    methods of exploitation.

    Disclosure Timeline:
    05 Sep 04 - Vulnerability Discovered
    06 Sep 04 - Initial Vendor Notification (incident number 1786)
    06 Sep 04 - Initial Vendor Response
    14 Sep 04 - Second Vendor Response
    23 Sep 04 - Third Vendor Response
    09 Nov 04 - Received Notification that Version 2.0, which can protect
    against such exploits, has been released
    22 Nov 04 - Public Release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:chewkeong@security.org.sg>
    Chew Keong TAN.
    The original article can be found at:
    <http://www.security.org.sg/vuln/prevxhome.html>
    http://www.security.org.sg/vuln/prevxhome.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] PHPKit SQL Injection and XSS Vulnerabilities"

    Relevant Pages