The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Prevx Home Intrusion Prevention Features can be Disabled by Direct Service
Table Restoration
------------------------------------------------------------------------
SUMMARY
<https://www.prevx.com> Prevx Home is a "state-of-the-art Host Intrusion
Prevention Software that is designed to protect the user against the next
Zero Day Hacker attacks, Internet Worms and Spyware Installation without
expecting the user to perform constant updates to their system .
A malicious program with administrative access can completely disable
Prevx's security features by direct memory access.
DETAILS
Vulnerable Systems:
* Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0 to SP2
Immune Systems:
* Prevx Home Version 2.0
Prevx Home prevents malicious code from modifying critical Windows
registry keys by prompting the user for action whenever such an attempt is
detected. Examples of protected registry keys include the Run-key and
Internet Explorer's registry settings. Prevx Home can also protect the
system against buffer overflow exploits.
Prevx Home's registry and buffer overflow protection feature is
implemented by hooking several native APIs in kernel-space by modifying
entries within the SDT ServiceTable. Hooking is performed by Prevx Home's
kernel driver that replaces several entries within the SDT ServiceTable.
It is possible to disable Prevx Home's registry and buffer overflow
protection by restoring the running kernel's SDT ServiceTable to its
original state with direct writes to \device\physicalmemory. Restoring the
running kernel's SDT ServiceTable will effectively disable the protection
offered by Prevx Home. In other words, the registry keys that were
protected by Prevx Home can now be modified.
Note: The original article has a proof of concept demonstration of this
vulnerability.
Vendor Status:
The vendor has released a newer version which protects against such
methods of exploitation.
Disclosure Timeline:
05 Sep 04 - Vulnerability Discovered
06 Sep 04 - Initial Vendor Notification (incident number 1786)
06 Sep 04 - Initial Vendor Response
14 Sep 04 - Second Vendor Response
23 Sep 04 - Third Vendor Response
09 Nov 04 - Received Notification that Version 2.0, which can protect
against such exploits, has been released
22 Nov 04 - Public Release
ADDITIONAL INFORMATION
The information has been provided by <mailto:chewkeong@security.org.sg>
Chew Keong TAN.
The original article can be found at:
<http://www.security.org.sg/vuln/prevxhome.html>
http://www.security.org.sg/vuln/prevxhome.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
