SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Prevx Home Vendors:   Prevx
Prevx Home Protection Mechanisms Can Be Disabled By Local Adminsitrative Users
SecurityTracker Alert ID:  1012294
SecurityTracker URL:  http://securitytracker.com/id/1012294
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 22 2004
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0; Tested on 1.0 Build 2.1.0.0
Description:   Tan Chew Keong of SIG^2 reported a vulnerability in Prevx Home. A local user can disable the registry and buffer overflow protection mechanisms.

It is reported that a local user with administrative privileges can modify SDT ServiceTable entries by directly writing to '\device\physicalmemory' to return the entires to their original settings, thereby disabling the kernel hooks and preventing Prevx Home from performing its protection functions.

The vendor was notified on September 6, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/prevxhome.html

Impact:   A local administrative user can disable the protection mechanisms.
Solution:   The vendor has released a fixed version (2.0).
Vendor URL:  www.prevx.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can


SIG^2 Vulnerability Research Advisory

Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct 
Service Table Restoration

by Tan Chew Keong
Release Date: 22 Nov 2004


ADVISORY URL

http://www.security.org.sg/vuln/prevxhome.html


SUMMARY

Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion 
Prevention Software that is designed to protect the user against the 
next Zero Day Hacker attacks, Internet Worms and Spyware Installation 
without expecting the user to perform constant updates to their system.

Prevx Home's registry and buffer overflow protection features are 
implemented by hooking several native APIs in kernel-space by modifying 
entries within the SDT ServiceTable. This means that a malicious program 
with Administrator privilege can disable these features by restoring the 
running kernel's SDT ServiceTable with direct writes to 
\device\physicalmemory.


TESTED SYSTEM

Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.


DETAILS

Prevx Home prevents malicious code from modifying critical Windows 
registry keys by prompting the user for action whenever such an attempt 
is detected. Examples of protected registry keys include the Run-key and 
Internet Explorer's registry settings. Prevx Home can also protect the 
system against buffer overflow exploits.

Prevx Home's registry and buffer overflow protection feature is 
implemented by hooking several native APIs in kernel-space by modifying 
entries within the SDT ServiceTable. Hooking is performed by Prevx 
Home's kernel driver that replaces several entries within the SDT 
ServiceTable.

It is possible to disable Prevx Home's registry and buffer overflow 
protection by restoring the running kernel's SDT ServiceTable to its 
original state with direct writes to \device\physicalmemory. Restoring 
the  running kernel's SDT ServiceTable will effectively disable the 
protection offered by Prevx Home.  In other words, the registry keys 
that were protected by Prevx Home can now be modified


PATCH

Upgrade to Version 2.0, which can protect against such exploits.


WORKAROUNDS

Do not run untrusted programs as Administrator.


PROOF-OF-CONCEPT

http://www.security.org.sg/vuln/prevxhome.html


DISCLOSURE TIMELINE

05 Sep 04 - Vulnerability Discovered
06 Sep 04 - Initial Vendor Notification (incident number 1786)
06 Sep 04 - Initial Vendor Response
14 Sep 04 - Second Vendor Response
23 Sep 04 - Third Vendor Response
09 Nov 04 - Received Notification that Version 2.0, which can protect 
against such exploits, has been released
22 Nov 04 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC