[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Kerio Personal Firewall's Application Launch Protection Can Be
From: "Jérôme" ATHIAS <jerome.athias () caramail ! com>
Date: 2004-09-02 16:42:33
Message-ID: 20040902164233.26701.qmail () www ! securityfocus ! com
[Download RAW message or body]
by Tan Chew Keong
Release Date: 02 Sep 2004
Summary
Kerio Personal Firewall 4 (KPF4) is a state-of-the-art personal firewall that helps \
users restrict how their computers exchange data with other computers on the Internet \
or local network. KPF has an Application Security feature that allows the user to \
restrict the execution of programs on his system. KPF prevents malicious code from \
spawning processes on the user's system by prompting the user for action whenever an \
unknown/new or modified program is being executed.
KPF's Application Security feature is implemented by hooking several native APIs in \
kernel-space by modifying entries within the SDT ServiceTable. This means that a \
malicious program can disable this security feature by restoring the running kernel's \
SDT ServiceTable with direct writes to \device\physicalmemory. This vulnerability \
affects only the execution protection feature of KPF4, the firewall feature of KPF4 \
remains intact.
Tested System
Kerio Personal Firewall 4.0.16 on Win2K SP4, WinXP SP1,SP2.
Details
Kerio Personal Firewall's Application Security (execution protection) feature is \
implemented by hooking several native APIs in kernel-space. Hooking is performed by \
the module fwdrv.sys by replacing entries within the SDT ServiceTable. KPF prevents \
malicious code from spawning processes on the user's system by prompting the user for \
action whenever an unknown/new or modified program is being executed.
More Details:
http://www.security.org.sg/vuln/kerio4016.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic