[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Kerio Personal Firewall's Application Launch Protection Can Be
From:       "Jérôme" ATHIAS <jerome.athias () caramail ! com>
Date:       2004-09-02 16:42:33
Message-ID: 20040902164233.26701.qmail () www ! securityfocus ! com
[Download RAW message or body]



by Tan Chew Keong
Release Date: 02 Sep 2004 
Summary

Kerio Personal Firewall 4 (KPF4) is a state-of-the-art personal firewall that helps \
users restrict how their computers exchange data with other computers on the Internet \
or local network. KPF has an Application Security feature that allows the user to \
restrict the execution of programs on his system. KPF prevents malicious code from \
spawning processes on the user's system by prompting the user for action whenever an \
unknown/new or modified program is being executed. 

KPF's Application Security feature is implemented by hooking several native APIs in \
kernel-space by modifying entries within the SDT ServiceTable. This means that a \
malicious program can disable this security feature by restoring the running kernel's \
SDT ServiceTable with direct writes to \device\physicalmemory. This vulnerability \
affects only the execution protection feature of KPF4, the firewall feature of KPF4 \
remains intact. 

 
Tested System

Kerio Personal Firewall 4.0.16 on Win2K SP4, WinXP SP1,SP2.


 
Details

Kerio Personal Firewall's Application Security (execution protection) feature is \
implemented by hooking several native APIs in kernel-space. Hooking is performed by \
the module fwdrv.sys by replacing entries within the SDT ServiceTable. KPF prevents \
malicious code from spawning processes on the user's system by prompting the user for \
action whenever an unknown/new or modified program is being executed. 

More Details:

http://www.security.org.sg/vuln/kerio4016.html


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic