Prevx Pro Lets Local Users Modify Files and Spoof Driver Messages
|
|
SecurityTracker Alert ID: 1014346
|
|
SecurityTracker URL: http://securitytracker.com/id?1014346
|
|
CVE Reference: CVE-2005-2144
, CVE-2005-2145
(Links to External Site)
|
Updated: Jun 24 2008
|
Original Entry Date: Jun 30 2005
|
Impact: Modification of system information, Modification of user information
|
Version(s): 2005
|
Description: Tri Huynh reported two vulnerabilities in Prevx Pro. A local user can bypass file modification protection mechanisms. A local user can spoof messages to the kernel driver.
A local user can bypass file edit protections by invoking the Windows MapViewOfFile() file mapping function to edit the target file
from memory.
A local user can invoke the NtDeviceIoControlFile() function to send arbitrary messages to the Prevx kernel driver.
This can be exploited to send an 'Allow' command to the driver whenever Prevx warning messages are displayed.
|
Impact: A local user can bypass file modification protection mechanisms to edit files.
A local user can spoof messages to the kernel driver.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.prevx.com/prevxprolanding.asp (Links to External Site)
|
Cause: Access control error, Authentication error
|
Underlying OS: Windows (Any)
|
Reported By: trihuynh@huynhsec.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 30 Jun 2005 13:35:57 -0700
From: trihuynh@huynhsec.com
Subject: Prevx Pro IPS 2005 - Multiple Vulnerabilities
|
Prevx Pro IPS 2005 - Multiple Vulnerabilities
=================================================
PROGRAM: PrevX Pro 2005
HOMEPAGE: http://www.prevx.com
DESCRIPTION
=================================================
" Prevx Pro 2005 is the new ‘must have’ security
solution. Prevx Pro utilises the latest
behavior–based intrusion prevention technology.
Its intelligent system protection allows you to
browse without fear of infection or becoming a
victim of a hack attack. " (prevx.com)
DETAILS
=================================================
1. Bypassing protected files.
PrevX by default protected many critical files of the system.
However, the protection can be bypassed by using memory mapping.
For example, to edit winnt/win.ini file, open the file and do
mapviewoffile, and then edit the file from the memory. PrevX does
not protect files being edited from memory mapping IO.
2. Sending bogus commands to kernel driver.
PrevX kernel driver and the user-space apps talking
with each other by using NtDeviceIoControlFile. However,
it seems the driver doesn't check whether or not the user-app
is really from PrevX or not. From there, It is possible to bypass
the protection by pretending a user send an "allow" command
down to the kernel driver everytimes a warning up message poping up.
CREDITS
=================================================
Discovered by Tri Huynh
DISLAIMER
=================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
FEEDBACK
=================================================
Please send suggestions, updates, and comments to: trihuynh@huynhsec.com
|
|
