Home page logo

bugtraq logo Bugtraq mailing list archives

Bypassing process identification of several personal firewalls and HIPS
From: Matousec - Transparent security Research <research () matousec com>
Date: Fri, 15 Dec 2006 19:42:11 +0100


We would like to inform you about a vulnerability in several personal firewalls and HIPS:


Personal firewalls, HIPS and similar security software that implement per process security have to be able to identify the process that attempts to execute privileged action. Usually, not only the name and the process identifier but also the full path of such process or other informations are required. Some security software in this area obtain these informations improperly from user mode structures of the unknown process. This means that such security software relies on user mode data that can be modified by the malicious applications. It is possible to modify these data such that the malicious process appears to be another (e.g. trusted) process. Vulnerable security software then allows executing privileged actions to the malicious application.

Vulnerable software:

    * AntiHook - Desktop
    * AVG Anti-Virus plus Firewall 7.5.431
    * Comodo Personal Firewall
    * Filseclab Personal Firewall
    * Look 'n' Stop 2.05p2
    * Sygate Personal Firewall 5.6.2808
    * probably older versions of above mentioned products
    * possibly other personal firewalls and HIPS software

More details and a proof of concept including its source code are available here:


Matousec - Transparent security Research

  By Date           By Thread  

Current thread:
  • Bypassing process identification of several personal firewalls and HIPS Matousec - Transparent security Research (Dec 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]