[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features
From:       Ralph Harvey <ralph.harvey () prevx ! com>
Date:       2004-11-24 14:41:23
Message-ID: 20041124144123.21223.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <20041122121935.25185.qmail@www.securityfocus.com>


Hi All,

Thanks to all at SIG^2 for the feedback regarding Prevx Home v1.0.  The version of \
software described in the advisory is no longer available for download, and as the \
advisory points out, the vulnerabilty is now resolved in v2.0. Most existing users \
will have had their software automatically upgraded, so this particularly issue is \
not likely to be a prevalent risk.

Prevx are commited in the fight against Cybercrime and to make the internet as safe \
for users as possible.  We appreciate any feedback on product improvement and greatly \
value the expertise and ideas contained in this forum.

Thanks again.

Kind regards,

Ralph Harvey
Chief Technology Officer
Prevx 
ralph.harvey@prevx.com 


> Received: (qmail 26926 invoked from network); 23 Nov 2004 02:19:26 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) \
> (205.206.231.26) by mail.securityfocus.com with SMTP; 23 Nov 2004 02:19:26 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> 	by outgoing2.securityfocus.com (Postfix) with QMQP
> 	id 133A5143709; Mon, 22 Nov 2004 08:51:31 -0700 (MST)
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Received: (qmail 12890 invoked from network); 22 Nov 2004 05:46:40 -0000
> Date: 22 Nov 2004 12:19:35 -0000
> Message-ID: <20041122121935.25185.qmail@www.securityfocus.com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: <chewkeong@security.org.sg>
> To: bugtraq@securityfocus.com
> Subject: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can
> Be Disabled by Direct Service Table Restoration
> 
> 
> 
> SIG^2 Vulnerability Research Advisory
> 
> Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service \
> Table Restoration 
> by Tan Chew Keong
> Release Date: 22 Nov 2004
> 
> ADVISORY URL
> 
> http://www.security.org.sg/vuln/prevxhome.html
> 
> 
> SUMMARY
> 
> Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion Prevention \
> Software that is designed to protect the user against the next Zero Day Hacker \
> attacks, Internet Worms and Spyware Installation without expecting the user to \
> perform constant updates to their system. 
> Prevx Home's registry and buffer overflow protection features are implemented by \
> hooking several native APIs in kernel-space by modifying entries within the SDT \
> ServiceTable. This means that a malicious program with Administrator privilege can \
> disable these features by restoring the running kernel's SDT ServiceTable with \
> direct writes to \device\physicalmemory.  
> 
> TESTED SYSTEM
> 
> Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.
> 
> 
> DETAILS
> 
> Prevx Home prevents malicious code from modifying critical Windows registry keys by \
> prompting the user for action whenever such an attempt is detected. Examples of \
> protected registry keys include the Run-key and Internet Explorer's registry \
> settings. Prevx Home can also protect the system against buffer overflow exploits. 
> Prevx Home's registry and buffer overflow protection feature is implemented by \
> hooking several native APIs in kernel-space by modifying entries within the SDT \
> ServiceTable. Hooking is performed by Prevx Home's kernel driver that replaces \
> several entries within the SDT ServiceTable.  
> It is possible to disable Prevx Home's registry and buffer overflow protection by \
> restoring the running kernel's SDT ServiceTable to its original state with direct \
> writes to \device\physicalmemory. Restoring the  running kernel's SDT ServiceTable \
> will effectively disable the protection offered by Prevx Home.  In other words, the \
> registry keys that were protected by Prevx Home can now be modified 
> 
> PATCH
> 
> Upgrade to Version 2.0, which can protect against such exploits.
> 
> 
> WORKAROUNDS
> 
> Do not run untrusted programs as Administrator.
> 
> 
> PROOF-OF-CONCEPT
> 
> http://www.security.org.sg/vuln/prevxhome.html
> 
> 
> DISCLOSURE TIMELINE
> 
> 05 Sep 04 - Vulnerability Discovered
> 06 Sep 04 - Initial Vendor Notification (incident number 1786)
> 06 Sep 04 - Initial Vendor Response
> 14 Sep 04 - Second Vendor Response
> 23 Sep 04 - Third Vendor Response
> 09 Nov 04 - Received Notification that Version 2.0, which can protect against such \
> exploits, has been released 22 Nov 04 - Public Release
> 
> 
> GREETINGS
> 
> All guys at SIG^2 G-TEC Lab
> http://www.security.org.sg/webdocs/g-tec.html 
> 
> "IT Security...the Gathering. By enthusiasts for enthusiasts."
> 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic