Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration
by Tan Chew Keong
Release Date: 22 Nov 2004
ADVISORY URL
http://www.security.org.sg/vuln/prevxhome.html
SUMMARY
Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion Prevention Software that is designed to protect the user against the next Zero Day Hacker attacks, Internet Worms and Spyware Installation without expecting the user to perform constant updates to their system.
Prevx Home's registry and buffer overflow protection features are implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program with Administrator privilege can disable these features by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.
TESTED SYSTEM
Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.
DETAILS
Prevx Home prevents malicious code from modifying critical Windows registry keys by prompting the user for action whenever such an attempt is detected. Examples of protected registry keys include the Run-key and Internet Explorer's registry settings. Prevx Home can also protect the system against buffer overflow exploits.
Prevx Home's registry and buffer overflow protection feature is implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. Hooking is performed by Prevx Home's kernel driver that replaces several entries within the SDT ServiceTable.
It is possible to disable Prevx Home's registry and buffer overflow protection by restoring the running kernel's SDT ServiceTable to its original state with direct writes to \device\physicalmemory. Restoring the running kernel's SDT ServiceTable will effectively disable the protection offered by Prevx Home. In other words, the registry keys that were protected by Prevx Home can now be modified
PATCH
Upgrade to Version 2.0, which can protect against such exploits.
WORKAROUNDS
Do not run untrusted programs as Administrator.
PROOF-OF-CONCEPT
http://www.security.org.sg/vuln/prevxhome.html
DISCLOSURE TIMELINE
05 Sep 04 - Vulnerability Discovered
06 Sep 04 - Initial Vendor Notification (incident number 1786)
06 Sep 04 - Initial Vendor Response
14 Sep 04 - Second Vendor Response
23 Sep 04 - Third Vendor Response
09 Nov 04 - Received Notification that Version 2.0, which can protect against such exploits, has been released
22 Nov 04 - Public Release
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
SIG^2 Vulnerability Research Advisory
Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration
by Tan Chew Keong
Release Date: 22 Nov 2004
ADVISORY URL
http://www.security.org.sg/vuln/prevxhome.html
SUMMARY
Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion Prevention Software that is designed to protect the user against the next Zero Day Hacker attacks, Internet Worms and Spyware Installation without expecting the user to perform constant updates to their system.
Prevx Home's registry and buffer overflow protection features are implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program with Administrator privilege can disable these features by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.
TESTED SYSTEM
Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.
DETAILS
Prevx Home prevents malicious code from modifying critical Windows registry keys by prompting the user for action whenever such an attempt is detected. Examples of protected registry keys include the Run-key and Internet Explorer's registry settings. Prevx Home can also protect the system against buffer overflow exploits.
Prevx Home's registry and buffer overflow protection feature is implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. Hooking is performed by Prevx Home's kernel driver that replaces several entries within the SDT ServiceTable.
It is possible to disable Prevx Home's registry and buffer overflow protection by restoring the running kernel's SDT ServiceTable to its original state with direct writes to \device\physicalmemory. Restoring the running kernel's SDT ServiceTable will effectively disable the protection offered by Prevx Home. In other words, the registry keys that were protected by Prevx Home can now be modified
PATCH
Upgrade to Version 2.0, which can protect against such exploits.
WORKAROUNDS
Do not run untrusted programs as Administrator.
PROOF-OF-CONCEPT
http://www.security.org.sg/vuln/prevxhome.html
DISCLOSURE TIMELINE
05 Sep 04 - Vulnerability Discovered
06 Sep 04 - Initial Vendor Notification (incident number 1786)
06 Sep 04 - Initial Vendor Response
14 Sep 04 - Second Vendor Response
23 Sep 04 - Third Vendor Response
09 Nov 04 - Received Notification that Version 2.0, which can protect against such exploits, has been released
22 Nov 04 - Public Release
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
[ reply ]