Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration

by Tan Chew Keong
Release Date: 22 Nov 2004

Summary

Prevx Home is a state-of-the-art Host Intrusion Prevention Software that is designed to protect the user against the next Zero Day Hacker attacks, Internet Worms and Spyware Installation without expecting the user to perform constant updates to their system.

Prevx Home's registry and buffer overflow protection features are implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program with Administrator privilege can disable these features by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.

 
Tested System

Prevx Home Version 1.0 Build 2.1.0.0 on WinXP SP0, SP2.

 
Details

Prevx Home prevents malicious code from modifying critical Windows registry keys by prompting the user for action whenever such an attempt is detected. Examples of protected registry keys include the Run-key and Internet Explorer's registry settings. Prevx Home can also protect the system against buffer overflow exploits.

Prevx Home's registry and buffer overflow protection feature is implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. Hooking is performed by Prevx Home's kernel driver that replaces several entries within the SDT ServiceTable.

Using our SDTrestore rootkit-defense tool, we were able to determine that Prevx Home's Intrusion Prevention feature is implemented by hooking the following native APIs. 

SDTrestore Version 0.2a Proof-of-Concept by SIG^2 G-TEC (www.security.org.sg)

KeServiceDescriptorTable                80559B80
KeServiceDecriptorTable.ServiceTable    804E2D20
KeServiceDescriptorTable.ServiceLimit   284

ZwAllocateVirtualMemory    11 pxfsf.sys [FC3BC07E]
ZwCreateFile               25 pxfsf.sys [FC3BC11E]
ZwCreateKey                29 pxfsf.sys [FC3BC13E]
ZwCreateMailslotFile       2A pxfsf.sys [FC3BC146]
ZwCreateNamedPipeFile      2C pxfsf.sys [FC3BC156]
ZwCreateSection            32 pxfsf.sys [FC3BC186]
ZwCreateThread             35 pxfsf.sys [FC3BC19E]
ZwDeleteFile               3E pxfsf.sys [FC3BC1E6]
ZwDeleteKey                3F pxfsf.sys [FC3BC1EE]
ZwDeleteValueKey           41 pxfsf.sys [FC3BC1FE]
ZwDeviceIoControlFile      42 pxfsf.sys [FC3BC206]
ZwDuplicateObject          44 pxfsf.sys [FC3BC216]
ZwEnumerateKey             47 pxfsf.sys [FC3BC22E]
ZwEnumerateValueKey        49 pxfsf.sys [FC3BC23E]
ZwLoadKey                  62 pxfsf.sys [FC3BC306]
ZwLoadKey2                 63 pxfsf.sys [FC3BC30E]
ZwOpenFile                 74 pxfsf.sys [FC3BC396]
ZwOpenKey                  77 pxfsf.sys [FC3BC3AE]
ZwOpenProcess              7A pxfsf.sys [FC3BC3C6]
ZwOpenProcessToken         7B pxfsf.sys [FC3BC3CE]
ZwOpenSection              7D pxfsf.sys [FC3BC3DE]
ZwOpenThread               80 pxfsf.sys [FC3BC3F6]
ZwOpenThreadToken          81 pxfsf.sys [FC3BC3FE]
ZwProtectVirtualMemory     89 pxfsf.sys [FC3BC43E]
ZwQueryKey                 A0 pxfsf.sys [FC3BC4F6]
ZwQueryMultipleValueKey    A1 pxfsf.sys [FC3BC4FE]
ZwQueryOpenSubKeys         A4 pxfsf.sys [FC3BC516]
ZwQueryValueKey            B1 pxfsf.sys [FC3BC57E]
ZwReplaceKey               C1 pxfsf.sys [FC3BC5FE]
ZwRestoreKey               CC pxfsf.sys [FC3BC656]
ZwSaveKey                  CF pxfsf.sys [FC3BC66E]
ZwSetInformationKey        E2 pxfsf.sys [FC3BC706]
ZwSetValueKey              F7 pxfsf.sys [FC3BC7AE]
ZwSystemDebugControl       FF pxfsf.sys [FC3BC7EE]
ZwTerminateThread         102 pxfsf.sys [FC3BC806]
ZwUnloadKey               107 pxfsf.sys [FC3BC82E]
ZwWriteFile               112 pxfsf.sys [FC3BC886]

Number of Service Table entries hooked = 37

 
On Win2k/XP, it is possible to restore the running kernel's SDT ServiceTable to its original state since a complete copy of the SDT ServiceTable exists within the kernel file ntoskrnl.exe. Our SDTrestore rootkit-defense tool demonstrates how this could be done. Using our SDTrestore tool, we were able to restore the SDT ServiceTable of a system running Prevx Home. The registry and buffer overflow protection features offered by Prevx Home are effectively disabled after we restored the SDT to its original state. With the features disabled, Prevx Home will no longer prompt the user for actions when modifications to critical Windows registry settings were attempted.

In order to exploit this vulnerability, an attacker must first convince the user to execute a malicious program as Administrator.

The following screen dump shows SDTrestore being used to restore the SDT. 

WARNING:  THIS IS EXPERIMENTAL CODE.  FIXING THE SDT MAY HAVE GRAVE
CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION.
PROCEED AT YOUR OWN RISK.  YOU HAVE BEEN WARNED.

Fix SDT Entries (Y/N)? : y

[+] Patched SDT entry 11 to 80568777
[+] Patched SDT entry 25 to 8057164C
[+] Patched SDT entry 29 to 8056F063
[+] Patched SDT entry 2A to 805DA312
[+] Patched SDT entry 2C to 80580F0D
[+] Patched SDT entry 32 to 80564B1B
[+] Patched SDT entry 35 to 8057F262
[+] Patched SDT entry 3E to 805D8CF7
[+] Patched SDT entry 3F to 8059D6BD
[+] Patched SDT entry 41 to 80597430
[+] Patched SDT entry 42 to 8057FBD0
[+] Patched SDT entry 44 to 805743BE
[+] Patched SDT entry 47 to 8056F76A
[+] Patched SDT entry 49 to 805801FE
[+] Patched SDT entry 62 to 805B0F28
[+] Patched SDT entry 63 to 805B0D76
[+] Patched SDT entry 74 to 805715E7
[+] Patched SDT entry 77 to 805684D5
[+] Patched SDT entry 7A to 8057459E
[+] Patched SDT entry 7B to 8056C8FC
[+] Patched SDT entry 7D to 805766CC
[+] Patched SDT entry 80 to 80597C0A
[+] Patched SDT entry 81 to 8056C383
[+] Patched SDT entry 89 to 8057494D
[+] Patched SDT entry A0 to 8056F473
[+] Patched SDT entry A1 to 8064CF58
[+] Patched SDT entry A4 to 8064D15E
[+] Patched SDT entry B1 to 8056B9A8
[+] Patched SDT entry C1 to 8064D892
[+] Patched SDT entry CC to 8064C3B0
[+] Patched SDT entry CF to 8064C457
[+] Patched SDT entry E2 to 8064CABB
[+] Patched SDT entry F7 to 80575527
[+] Patched SDT entry FF to 8064872D
[+] Patched SDT entry 102 to 8057E97C
[+] Patched SDT entry 107 to 8064C689
[+] Patched SDT entry 112 to 8057A125

 
Solution

  1. Upgrade to Version 2.0, which can protect against such exploits.
  2. Avoid running untrusted programs with Administrator privilege.

 
Disclosure Timeline

05 Sep 04 - Vulnerability Discovered
06 Sep 04 - Initial Vendor Notification (incident number 1786)
06 Sep 04 - Initial Vendor Response
14 Sep 04 - Second Vendor Response
23 Sep 04 - Third Vendor Response
24 Oct 04 - Second Vendor Notification
09 Nov 04 - Received Notification that Version 2.0, which can protect against such exploits, has been released
22 Nov 04 - Public Release

 

Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 11/11/2004
webmaster@security.org.sg