lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040902164233.26701.qmail@www.securityfocus.com>
Date: 2 Sep 2004 16:42:33 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: Kerio Personal Firewall's Application Launch Protection Can Be
    Disabled by Direct Service Table Restoration




by Tan Chew Keong
Release Date: 02 Sep 2004 
Summary

Kerio Personal Firewall 4 (KPF4) is a state-of-the-art personal firewall that helps users restrict how their computers exchange data with other computers on the Internet or local network. KPF has an Application Security feature that allows the user to restrict the execution of programs on his system. KPF prevents malicious code from spawning processes on the user's system by prompting the user for action whenever an unknown/new or modified program is being executed. 

KPF's Application Security feature is implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program can disable this security feature by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory. This vulnerability affects only the execution protection feature of KPF4, the firewall feature of KPF4 remains intact. 

 
Tested System

Kerio Personal Firewall 4.0.16 on Win2K SP4, WinXP SP1,SP2.


 
Details

Kerio Personal Firewall's Application Security (execution protection) feature is implemented by hooking several native APIs in kernel-space. Hooking is performed by the module fwdrv.sys by replacing entries within the SDT ServiceTable. KPF prevents malicious code from spawning processes on the user's system by prompting the user for action whenever an unknown/new or modified program is being executed. 

More Details:

http://www.security.org.sg/vuln/kerio4016.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ