lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4BE1BAB6.4050903@matousec.com>
Date: Wed, 05 May 2010 20:36:38 +0200
From: "www.matousec.com - Research" <research@...ousec.com>
To: bugtraq@...urityfocus.com
Subject: KHOBE - 8.0 earthquake for Windows desktop security software

Hello,

We have found number of vulnerabilities in implementations of kernel hooks in many different security products.


The argument-switch attack (or KHOBE attack) affects user mode and kernel mode hooks that are used to implement security features. The hook
may be vulnerable if it performs security checks on pointer or handle arguments that come from user mode. Using multiple threads the
attacker is able to change the meaning of the arguments in the middle of the hooked system call and thus bypass the security checks
implemented by the hook. The common implementations of kernel mode hooks, especially so called SSDT hooks, are vulnerable to argument-switch
attack. No product that we investigated during our research did not implemented the hooks correctly.


Vulnerable software:

    * 3D EQSecure Professional Edition 4.2
    * avast! Internet Security 5.0.462
    * AVG Internet Security 9.0.791
    * Avira Premium Security Suite 10.0.0.536
    * BitDefender Total Security 2010 13.0.20.347
    * Blink Professional 4.6.1
    * CA Internet Security Suite Plus 2010 6.0.0.272
    * Comodo Internet Security Free 4.0.138377.779
    * DefenseWall Personal Firewall 3.00
    * Dr.Web Security Space Pro 6.0.0.03100
    * ESET Smart Security 4.2.35.3
    * F-Secure Internet Security 2010 10.00 build 246
    * G DATA TotalCare 2010
    * Kaspersky Internet Security 2010 9.0.0.736
    * KingSoft Personal Firewall 9 Plus 2009.05.07.70
    * Malware Defender 2.6.0
    * McAfee Total Protection 2010 10.0.580
    * Norman Security Suite PRO 8.0
    * Norton Internet Security 2010 17.5.0.127
    * Online Armor Premium 4.0.0.35
    * Online Solutions Security Suite 1.5.14905.0
    * Outpost Security Suite Pro 6.7.3.3063.452.0726
    * Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
    * Panda Internet Security 2010 15.01.00
    * PC Tools Firewall Plus 6.0.0.88
    * PrivateFirewall 7.0.20.37
    * Security Shield 2010 13.0.16.313
    * Sophos Endpoint Security and Control 9.0.5
    * Trend Micro Internet Security Pro 2010 17.50.1647.0000
    * Vba32 Personal 3.12.12.4
    * VIPRE Antivirus Premium 4.0.3272
    * VirusBuster Internet Security Suite 3.2
    * Webroot Internet Security Essentials 6.1.0.145
    * ZoneAlarm Extreme Security 9.1.507.000
    * probably other versions of above mentioned software
    * possibly many other software products that use kernel hooks to implement security features


More details are available here:

Advisory: http://www.matousec.com/info/advisories/khobe-8.0-earthquake-for-windows-desktop-security-software.php
Article: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

Kind Regards,

--
www.matousec.com Research
Different Internet Experience Ltd.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ