|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] Prevx Pro 2005 - Multiple Vulnerabilities
trihuynh
huynhsec.com
Date: Fri Jul 01 2005 - 01:05:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Prevx Pro 2005 - Multiple
Vulnerabilities
=================================================
=================================================
DESCRIPTION
=================================================
=================================================
" Prevx Pro 2005 is the new ‘must have' security
solution. Prevx Pro utilises the latest
behavior–based intrusion prevention technology.
Its intelligent system protection allows you to
browse without fear of infection or becoming a
victim of a hack attack. "
solution. Prevx Pro utilises the latest
behavior–based intrusion prevention technology.
Its intelligent system protection allows you to
browse without fear of infection or becoming a
victim of a hack attack. "
DETAILS
=================================================
=================================================
1. Edit/modify protected files.
PrevX by default protected many critical files of the system.
However, the protection can be bypassed by using memory mapping.
For example, to edit winnt/win.ini file, open the file and do
mapviewoffile, and then edit the file from the memory. PrevX does
not protect files being edited from memory mapping IO.
PrevX by default protected many critical files of the system.
However, the protection can be bypassed by using memory mapping.
For example, to edit winnt/win.ini file, open the file and do
mapviewoffile, and then edit the file from the memory. PrevX does
not protect files being edited from memory mapping IO.
2. Sending bogus commands to kernel driver.
PrevX kernel driver and the user-space apps talking
with each other by using NtDeviceIoControlFile. However,
it seems the driver doesn't check whether or not the user-app
is really from PrevX or not. From there, It is possible to bypass
the protection by pretending a user send an "allow" command
down to the kernel driver everytimes a warning up message poping up.
PrevX kernel driver and the user-space apps talking
with each other by using NtDeviceIoControlFile. However,
it seems the driver doesn't check whether or not the user-app
is really from PrevX or not. From there, It is possible to bypass
the protection by pretending a user send an "allow" command
down to the kernel driver everytimes a warning up message poping up.
3. Local DOS:
Create a large registry value(multi string with ie, 10MB data) in a
protected
key (aka HKLM/software/microsoft/run) will cause PrevX to consume
100% CPU.
And from later on, if a user try to access the log record from
PrevX GUI,
PrevX will suddenly consume 100%CPU for no reason.
+ Vendor is contacted but no response.
CREDITS
=================================================
Discovered by Tri Huynh
=================================================
Discovered by Tri Huynh
DISLAIMER
=================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
=================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
FEEDBACK
=================================================
Please send suggestions, updates, and comments to: trihuynh@huynhsec.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]