matousec.com (site map)

Poll

Is leak(test) protection important?

  Yes, of course! (82.3%)

  I think so. (4.89%)

  I do not know. (3.05%)

  I do not think so. (1.96%)

  No, not at all! (7.84%)

more

results

Advisory 2006-12-15.01

Bypassing process identification of several personal firewalls and HIPS

Basic information:


Release date: December 15, 2006

Last update: January 19, 2007

Severity:Medium

Character:Privilege escalation

Status:N/A

Testing program: ex-coat.zip

Description:

Personal firewalls, HIPS and similar security software that implement per process security have to be able to identify the process that attempts to execute privileged action. Usually, not only the name and the process identifier but also the full path of such process or other information are required. Some security software in this area obtain this information improperly from user mode structures of the unknown process. This means that such security software relies on user mode data that can be modified by the malicious applications. It is possible to modify these data such that the malicious process appears to be another (e.g. trusted) process. Vulnerable security software then allows executing privileged actions to the malicious application.

Vulnerable software:

Not vulnerable software:

Events:

References: