Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-disclosure] Prevx Pro 2005 - Multiple Vulnerabilities
Date: Fri Jul 01 2005 - 01:05:56 CDT
PROGRAM: PrevX Pro 2005
solution. Prevx Pro utilises the latest
behavior–based intrusion prevention technology.
Its intelligent system protection allows you to
browse without fear of infection or becoming a
victim of a hack attack. "
PrevX by default protected many critical files of the system.
However, the protection can be bypassed by using memory mapping.
For example, to edit winnt/win.ini file, open the file and do
mapviewoffile, and then edit the file from the memory. PrevX does
not protect files being edited from memory mapping IO.
PrevX kernel driver and the user-space apps talking
with each other by using NtDeviceIoControlFile. However,
it seems the driver doesn't check whether or not the user-app
is really from PrevX or not. From there, It is possible to bypass
the protection by pretending a user send an "allow" command
down to the kernel driver everytimes a warning up message poping up.
Discovered by Tri Huynh
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
Please send suggestions, updates, and comments to: firstname.lastname@example.org
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/