The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Windows Personal Firewall Analysis
------------------------------------------------------------------------
SUMMARY
During Matousek security analyses of personal firewalls and other
security-related software that uses SSDT hooking, Matousek found out that
many vendors simply do not implement the hooks in a proper way. This
allows local Denial of Service by unprivileged users or even privilege
escalations exploits to be created. 100% of tested personal firewalls that
implement SSDT hooks do or did suffer from this vulnerability! This
article reviews the results of our testing and describes how a proper SSDT
hook handler should be implemented. Matousek also introduced BSODhook - a
handy tool for every developer that deals with SSDT hooks and a possible
cure for the plague in today's Windows drivers world.
DETAILS
Introduction
Hooking kernel functions by modifying the System Service Descriptor Table
(SSDT) is a very popular method of implementation of additional security
features and is used frequently by personal firewalls and other security
and low-level software. Although undocumented and despised by Microsoft,
this technique can be implemented in a correct and stable way. However,
many software vendors do not follow the rules and recommendations for
kernel-mode code writing and many drivers that implement SSDT hooking do
not properly validate the parameters of the hooking functions.
Microsoft's Common Driver Reliability Issues document describes the
correct parameter checking and contains many important notes to problems
related to writing Windows drivers. Many vendors of today's software do
not bother to read such documents and their implementations are thus
vulnerable, and making the stable and trustworthy Windows kernel
unreliable.
Parameters to SSDT function handlers are passed directly from user-mode
and therefore must be checked before they are used. This article shows
some incorrect implementations of SSDT hooking functions and describes how
a proper validity check should be performed on various parameter types. To
understand the following text, you will need some knowledge of Windows NT
architecture. We do not cover a proper implementation of SSDT hooking
techniques here. We focus on parameter validation problems. Some related
and interesting information can be also found in Microsoft's Memory
Management: What Every Driver Writer Needs to Know document.
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@matousec.com>
Matousec - Transparent security Research.
The original article can be found at:
<http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php>
http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
