[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Prevx Pro 2005 - Multiple Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Prevx Pro 2005 - Multiple Vulnerabilities
- From: trihuynh@xxxxxxxxxxxx
- Date: Thu, 30 Jun 2005 23:05:56 -0700
<div>Prevx Pro 2005 - Multiple
Vulnerabilities<BR>=================================================
</div>
<div><BR>PROGRAM: PrevX Pro 2005<BR>OMEPAGE: <A
href="http://www.prevx.com";>http://www.prevx.com</A></div>
<div>DESCRIPTION <BR>=================================================
</div>
<div>" Prevx Pro 2005 is the new ?must have' security <BR>solution. Prevx
Pro utilises the latest <BR>behavior?based intrusion prevention
technology. <BR>Its intelligent system protection allows you to
<BR>browse without fear of infection or becoming a <BR>victim of a hack
attack. " <BR> </div>
<div> </div>
<div>DETAILS <BR>================================================= </div>
<div>1. Edit/modify protected files.<BR>PrevX by default protected
many critical files of the system.<BR>However, the protection can be
bypassed by using memory mapping.<BR>For example, to edit winnt/win.ini
file, open the file and do<BR>mapviewoffile, and then edit the file from
the memory. PrevX does<BR>not protect files being edited from memory
mapping IO.</div>
<div> </div>
<div>2. Sending bogus commands to kernel driver.<BR>PrevX kernel driver
and the user-space apps talking<BR>with each other by using
NtDeviceIoControlFile. However,<BR>it seems the driver doesn't check
whether or not the user-app<BR>is really from PrevX or not. From there,
It is possible to bypass <BR>the protection by pretending a user send an
"allow" command<BR>down to the kernel driver everytimes a warning up
message poping up.</div>
<div> </div>
<div>3. Local DOS:</div>
<div>Create a large registry value(multi string with ie, 10MB data) in a
protected</div>
<div>key (aka HKLM/software/microsoft/run) will cause PrevX to consume
100% CPU.</div>
<div>And from later on, if a user try to access the log record from
PrevX GUI, </div>
<div>PrevX will suddenly consume 100%CPU for no reason.</div>
<div> </div>
<div>+ Vendor is contacted but no response. </div>
<div> </div>
<div>CREDITS <BR>=================================================
<BR>Discovered by Tri Huynh</div>
<div> </div>
<div> </div>
<div>DISLAIMER <BR>=================================================
<BR>The information within this paper may change without notice. Use of
<BR>this information constitutes acceptance for use in an AS IS
condition. <BR>There are NO warranties with regard to this information.
In no event <BR>shall the author be liable for any damages whatsoever
arising out of <BR>or in connection with the use or spread of this
information. Any use <BR>of this information is at the user's own risk.
</div>
<div><BR>FEEDBACK <BR>=================================================
<BR>Please send suggestions, updates, and comments to: <A
href="mailto:trihuynh@xxxxxxxxxxxx";>trihuynh@xxxxxxxxxxxx</A><BR></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/