lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4582ECC4.8000501@matousec.com>
Date: Fri, 15 Dec 2006 19:43:16 +0100
From: Matousec - Transparent security Research <research@...ousec.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Bypassing process identification of several
 personal firewalls and HIPS

Hello,

We would like to inform you about a vulnerability in several personal firewalls and HIPS:


Description:

Personal firewalls, HIPS and similar security software that implement per process security have to be able to identify 
the process that attempts to execute privileged action. Usually, not only the name and the process identifier but also 
the full path of such process or other informations are required. Some security software in this area obtain these 
informations improperly from user mode structures of the unknown process. This means that such security software relies 
on user mode data that can be modified by the malicious applications. It is possible to modify these data such that the 
malicious process appears to be another (e.g. trusted) process. Vulnerable security software then allows executing 
privileged actions to the malicious application.


Vulnerable software:

     * AntiHook 3.0.0.23 - Desktop
     * AVG Anti-Virus plus Firewall 7.5.431
     * Comodo Personal Firewall 2.3.6.81
     * Filseclab Personal Firewall 3.0.0.8686
     * Look 'n' Stop 2.05p2
     * Sygate Personal Firewall 5.6.2808
     * probably older versions of above mentioned products
     * possibly other personal firewalls and HIPS software


More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php


Regards,

-- 
Matousec - Transparent security Research
http://www.matousec.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ