Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration

[Ralph Harvey <ralph.harvey () prevx com>]

In-Reply-To: <20041122121935.25185.qmail () www securityfocus com>


Hi All,

Thanks to all at SIG^2 for the feedback regarding Prevx Home v1.0.  The version of software described in the advisory 
is no longer available for download, and as the advisory points out, the vulnerabilty is now resolved in v2.0. Most 
existing users will have had their software automatically upgraded, so this particularly issue is not likely to be a 
prevalent risk.

Prevx are commited in the fight against Cybercrime and to make the internet as safe for users as possible.  We 
appreciate any feedback on product improvement and greatly value the expertise and ideas contained in this forum.

Thanks again.

Kind regards,

Ralph Harvey
Chief Technology Officer
Prevx 
ralph.harvey () prevx com 


> Received: (qmail 26926 invoked from network); 23 Nov 2004 02:19:26 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 23 Nov 2004 02:19:26 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 133A5143709; Mon, 22 Nov 2004 08:51:31 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 12890 invoked from network); 22 Nov 2004 05:46:40 -0000
> Date: 22 Nov 2004 12:19:35 -0000
> Message-ID: <20041122121935.25185.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: <chewkeong () security org sg>
> To: bugtraq () securityfocus com
> Subject: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can
>    Be Disabled by Direct Service Table Restoration
>
>
>
> SIG^2 Vulnerability Research Advisory
>
> Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration
>
> by Tan Chew Keong
> Release Date: 22 Nov 2004
>
> ADVISORY URL
>
> http://www.security.org.sg/vuln/prevxhome.html
>
>
> SUMMARY
>
> Prevx Home (https://www.prevx.com) is a state-of-the-art Host Intrusion Prevention Software that is designed to 
> protect the user against the next Zero Day Hacker attacks, Internet Worms and Spyware Installation without expecting 
> the user to perform constant updates to their system.
>
> Prevx Home's registry and buffer overflow protection features are implemented by hooking several native APIs in 
> kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program with Administrator 
> privilege can disable these features by restoring the running kernel's SDT ServiceTable with direct writes to 
> \device\physicalmemory. 
>
>
> TESTED SYSTEM
>
> Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.
>
>
> DETAILS
>
> Prevx Home prevents malicious code from modifying critical Windows registry keys by prompting the user for action 
> whenever such an attempt is detected. Examples of protected registry keys include the Run-key and Internet Explorer's 
> registry settings. Prevx Home can also protect the system against buffer overflow exploits.
>
> Prevx Home's registry and buffer overflow protection feature is implemented by hooking several native APIs in 
> kernel-space by modifying entries within the SDT ServiceTable. Hooking is performed by Prevx Home's kernel driver that 
> replaces several entries within the SDT ServiceTable. 
>
> It is possible to disable Prevx Home's registry and buffer overflow protection by restoring the running kernel's SDT 
> ServiceTable to its original state with direct writes to \device\physicalmemory. Restoring the  running kernel's SDT 
> ServiceTable will effectively disable the protection offered by Prevx Home.  In other words, the registry keys that 
> were protected by Prevx Home can now be modified
>
>
> PATCH
>
> Upgrade to Version 2.0, which can protect against such exploits.
>
>
> WORKAROUNDS
>
> Do not run untrusted programs as Administrator.
>
>
> PROOF-OF-CONCEPT
>
> http://www.security.org.sg/vuln/prevxhome.html
>
>
> DISCLOSURE TIMELINE
>
> 05 Sep 04 - Vulnerability Discovered
> 06 Sep 04 - Initial Vendor Notification (incident number 1786)
> 06 Sep 04 - Initial Vendor Response
> 14 Sep 04 - Second Vendor Response
> 23 Sep 04 - Third Vendor Response
> 09 Nov 04 - Received Notification that Version 2.0, which can protect against such exploits, has been released
> 22 Nov 04 - Public Release
>
>
> GREETINGS
>
> All guys at SIG^2 G-TEC Lab
> http://www.security.org.sg/webdocs/g-tec.html 
>
> "IT Security...the Gathering. By enthusiasts for enthusiasts."