|
Bugtraq
mailing list archives
Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration
From: "Jérôme" ATHIAS <jerome.athias () caramail com>
Date: 2 Sep 2004 16:42:33 -0000
by Tan Chew Keong
Release Date: 02 Sep 2004
Summary
Kerio Personal Firewall 4 (KPF4) is a state-of-the-art personal firewall that helps users restrict how their computers
exchange data with other computers on the Internet or local network. KPF has an Application Security feature that
allows the user to restrict the execution of programs on his system. KPF prevents malicious code from spawning
processes on the user's system by prompting the user for action whenever an unknown/new or modified program is being
executed.
KPF's Application Security feature is implemented by hooking several native APIs in kernel-space by modifying entries
within the SDT ServiceTable. This means that a malicious program can disable this security feature by restoring the
running kernel's SDT ServiceTable with direct writes to \device\physicalmemory. This vulnerability affects only the
execution protection feature of KPF4, the firewall feature of KPF4 remains intact.
Tested System
Kerio Personal Firewall 4.0.16 on Win2K SP4, WinXP SP1,SP2.
Details
Kerio Personal Firewall's Application Security (execution protection) feature is implemented by hooking several native
APIs in kernel-space. Hooking is performed by the module fwdrv.sys by replacing entries within the SDT ServiceTable.
KPF prevents malicious code from spawning processes on the user's system by prompting the user for action whenever an
unknown/new or modified program is being executed.
More Details:
http://www.security.org.sg/vuln/kerio4016.html
 By Date 
By Thread
Current thread:
- Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration Jérôme (Sep 03)
| 
Intro
