Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Bypassing PFW/HIPS open process control with uncommon

from [Matousec - Transparent security Research] Network Security [Permanent Link]
Subject: [Full-disclosure] Bypassing PFW/HIPS open process control with uncommon identifier
Date: Tue, 15 May 2007 09:38:34 +0200 
Hello,

We would like to inform you about a vulnerability in personal firewalls and 
HIPS software.


Description:

Windows operating systems with NT kernel version 5.0 and higher (i.e. Windows 
2000, XP, 2003) use integer numbers 
divisible by four to identify processes. Internal implementation of system API 
functions also allows programmers to use 
integers that are not divisible by four. This means that for every process 
running in the system there are four valid 
identifiers.

The control of API functions, which work with process identifiers, like 
OpenProcess (usually implemented by SSDT hook of 
NtOpenProcess), that assumes using identifiers divisible by four is 
insufficient. An implementation by a simple test on 
equivalence between the internal personal firewall/HIPS database and the given 
identifier can be dangerous. In such 
case, it is possible that a firewall misinterprets a call and allows an action 
that should be forbidden. If the security 
software implements a process protection for critical processes in this manner, 
it is a critical bug, which can be 
exploited to gain control over the whole system. Vulnerable products implements 
process protection, which can be 
bypassed if identifiers not divisible by four are used.


Vulnerable software:

     * Comodo Firewall Pro 2.4.18.184
     * Comodo Personal Firewall 2.3.6.81
     * ZoneAlarm Pro 6.1.744.001
     * probably older versions of above mentioned products
     * possibly other personal firewalls and HIPS software

Not vulnerable software:

     * ZoneAlarm Pro 6.5.737.000 and higher


More details and a proof of concept including its source code are available 
here:
http://www.matousec.com/info/advisories/Bypassing-PWF-HIPS-open-process-control-with-uncommon-identifier.php


Regards,

-- 
Matousec - Transparent security Research
http://www.matousec.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Bypassing PFW/HIPS open process control with uncommon identifier, Matousec - Transparent security Research <=
Previous by Date:  [Full-disclosure] [ GLSA 200705-15 ] Samba: Multiple vulnerabilities, Sune Kloppenborg Jeppesen
Next by Date:  Re: [Full-disclosure] Linux big bang theory...., Mike Owen
Previous by Thread:  [Full-disclosure] [ GLSA 200705-15 ] Samba: Multiple vulnerabilities, Sune Kloppenborg Jeppesen
Next by Thread:  [Full-disclosure] Jetbox CMS version 2.1 E-Mail Injection Vulnerability, SecurityResearch
Indexes:  [Date] [Thread] [Top] [All Lists]