[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features
From: Ralph Harvey <ralph.harvey () prevx ! com>
Date: 2004-11-24 14:41:23
Message-ID: 20041124144123.21223.qmail () www ! securityfocus ! com
[Download RAW message or body]
In-Reply-To: <20041122121935.25185.qmail@www.securityfocus.com>
Hi All,
Thanks to all at SIG^2 for the feedback regarding Prevx Home v1.0. The version of \
software described in the advisory is no longer available for download, and as the \
advisory points out, the vulnerabilty is now resolved in v2.0. Most existing users \
will have had their software automatically upgraded, so this particularly issue is \
not likely to be a prevalent risk.
Prevx are commited in the fight against Cybercrime and to make the internet as safe \
for users as possible. We appreciate any feedback on product improvement and greatly \
value the expertise and ideas contained in this forum.
Thanks again.
Kind regards,
Ralph Harvey
Chief Technology Officer
Prevx
ralph.harvey@prevx.com
> Received: (qmail 26926 invoked from network); 23 Nov 2004 02:19:26 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) \
> (205.206.231.26) by mail.securityfocus.com with SMTP; 23 Nov 2004 02:19:26 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 133A5143709; Mon, 22 Nov 2004 08:51:31 -0700 (MST)
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Received: (qmail 12890 invoked from network); 22 Nov 2004 05:46:40 -0000
> Date: 22 Nov 2004 12:19:35 -0000
> Message-ID: <20041122121935.25185.qmail@www.securityfocus.com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: <chewkeong@security.org.sg>
> To: bugtraq@securityfocus.com
> Subject: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can
> Be Disabled by Direct Service Table Restoration
>
>
>
> SIG^2 Vulnerability Research Advisory
>
> Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service \
> Table Restoration
> by Tan Chew Keong
> Release Date: 22 Nov 2004
>
> ADVISORY URL
>
> http://www.security.org.sg/vuln/prevxhome.html
>
>
> SUMMARY
>
> Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion Prevention \
> Software that is designed to protect the user against the next Zero Day Hacker \
> attacks, Internet Worms and Spyware Installation without expecting the user to \
> perform constant updates to their system.
> Prevx Home's registry and buffer overflow protection features are implemented by \
> hooking several native APIs in kernel-space by modifying entries within the SDT \
> ServiceTable. This means that a malicious program with Administrator privilege can \
> disable these features by restoring the running kernel's SDT ServiceTable with \
> direct writes to \device\physicalmemory.
>
> TESTED SYSTEM
>
> Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.
>
>
> DETAILS
>
> Prevx Home prevents malicious code from modifying critical Windows registry keys by \
> prompting the user for action whenever such an attempt is detected. Examples of \
> protected registry keys include the Run-key and Internet Explorer's registry \
> settings. Prevx Home can also protect the system against buffer overflow exploits.
> Prevx Home's registry and buffer overflow protection feature is implemented by \
> hooking several native APIs in kernel-space by modifying entries within the SDT \
> ServiceTable. Hooking is performed by Prevx Home's kernel driver that replaces \
> several entries within the SDT ServiceTable.
> It is possible to disable Prevx Home's registry and buffer overflow protection by \
> restoring the running kernel's SDT ServiceTable to its original state with direct \
> writes to \device\physicalmemory. Restoring the running kernel's SDT ServiceTable \
> will effectively disable the protection offered by Prevx Home. In other words, the \
> registry keys that were protected by Prevx Home can now be modified
>
> PATCH
>
> Upgrade to Version 2.0, which can protect against such exploits.
>
>
> WORKAROUNDS
>
> Do not run untrusted programs as Administrator.
>
>
> PROOF-OF-CONCEPT
>
> http://www.security.org.sg/vuln/prevxhome.html
>
>
> DISCLOSURE TIMELINE
>
> 05 Sep 04 - Vulnerability Discovered
> 06 Sep 04 - Initial Vendor Notification (incident number 1786)
> 06 Sep 04 - Initial Vendor Response
> 14 Sep 04 - Second Vendor Response
> 23 Sep 04 - Third Vendor Response
> 09 Nov 04 - Received Notification that Version 2.0, which can protect against such \
> exploits, has been released 22 Nov 04 - Public Release
>
>
> GREETINGS
>
> All guys at SIG^2 G-TEC Lab
> http://www.security.org.sg/webdocs/g-tec.html
>
> "IT Security...the Gathering. By enthusiasts for enthusiasts."
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic