Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can

from [Ralph Harvey] Network Security [Permanent Link]
Subject: Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration
Date: 24 Nov 2004 14:41:23 -0000 
In-Reply-To: <20041122121935.25185.qmail@www.securityfocus.com>


Hi All,

Thanks to all at SIG^2 for the feedback regarding Prevx Home v1.0.  The version 
of software described in the advisory is no longer available for download, and 
as the advisory points out, the vulnerabilty is now resolved in v2.0. Most 
existing users will have had their software automatically upgraded, so this 
particularly issue is not likely to be a prevalent risk.

Prevx are commited in the fight against Cybercrime and to make the internet as 
safe for users as possible.  We appreciate any feedback on product improvement 
and greatly value the expertise and ideas contained in this forum.

Thanks again.

Kind regards,

Ralph Harvey
Chief Technology Officer
Prevx 
ralph.harvey@prevx.com 



Received: (qmail 26926 invoked from network); 23 Nov 2004 02:19:26 -0000
Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
(205.206.231.26)
 by mail.securityfocus.com with SMTP; 23 Nov 2004 02:19:26 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com 
[205.206.231.20])
      by outgoing2.securityfocus.com (Postfix) with QMQP
      id 133A5143709; Mon, 22 Nov 2004 08:51:31 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12890 invoked from network); 22 Nov 2004 05:46:40 -0000
Date: 22 Nov 2004 12:19:35 -0000
Message-ID: <20041122121935.25185.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: <chewkeong@security.org.sg>
To: bugtraq@securityfocus.com
Subject: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can
   Be Disabled by Direct Service Table Restoration



SIG^2 Vulnerability Research Advisory

Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct 
Service Table Restoration

by Tan Chew Keong
Release Date: 22 Nov 2004

ADVISORY URL

http://www.security.org.sg/vuln/prevxhome.html


SUMMARY

Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion 
Prevention Software that is designed to protect the user against the next Zero 
Day Hacker attacks, Internet Worms and Spyware Installation without expecting 
the user to perform constant updates to their system.

Prevx Home's registry and buffer overflow protection features are implemented 
by hooking several native APIs in kernel-space by modifying entries within the 
SDT ServiceTable. This means that a malicious program with Administrator 
privilege can disable these features by restoring the running kernel's SDT 
ServiceTable with direct writes to \device\physicalmemory. 


TESTED SYSTEM

Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.


DETAILS

Prevx Home prevents malicious code from modifying critical Windows registry 
keys by prompting the user for action whenever such an attempt is detected. 
Examples of protected registry keys include the Run-key and Internet 
Explorer's registry settings. Prevx Home can also protect the system against 
buffer overflow exploits.

Prevx Home's registry and buffer overflow protection feature is implemented by 
hooking several native APIs in kernel-space by modifying entries within the 
SDT ServiceTable. Hooking is performed by Prevx Home's kernel driver that 
replaces several entries within the SDT ServiceTable. 

It is possible to disable Prevx Home's registry and buffer overflow protection 
by restoring the running kernel's SDT ServiceTable to its original state with 
direct writes to \device\physicalmemory. Restoring the  running kernel's SDT 
ServiceTable will effectively disable the protection offered by Prevx Home.  
In other words, the registry keys that were protected by Prevx Home can now be 
modified


PATCH

Upgrade to Version 2.0, which can protect against such exploits.


WORKAROUNDS

Do not run untrusted programs as Administrator.


PROOF-OF-CONCEPT

http://www.security.org.sg/vuln/prevxhome.html


DISCLOSURE TIMELINE

05 Sep 04 - Vulnerability Discovered
06 Sep 04 - Initial Vendor Notification (incident number 1786)
06 Sep 04 - Initial Vendor Response
14 Sep 04 - Second Vendor Response
23 Sep 04 - Third Vendor Response
09 Nov 04 - Received Notification that Version 2.0, which can protect against 
such exploits, has been released
22 Nov 04 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration, Ralph Harvey <=
Previous by Date:  RE: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Sta ck overflow exception, Randal, Phil
Next by Date:  Re: Router ZyXEL Prestige 650 HW http remote admin., Laurent Papier
Previous by Thread:  RE: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Sta ck overflow exception, Randal, Phil
Next by Thread:  STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability, advisory
Indexes:  [Date] [Thread] [Top] [All Lists]