matousec.com (site map)

Poll

Is leak(test) protection important?

  Yes, of course! (82.32%)

  I think so. (4.9%)

  I do not know. (3.04%)

  I do not think so. (1.95%)

  No, not at all! (7.81%)

more

results

Advisory 2007-01-15.01

Outpost Bypassing Self-Protection using file links Vulnerability

Basic information:


Release date: January 15, 2007

Last update: January 27, 2007

Severity:Critical

Character:Complete system control

Status:Fixed

Testing program: BTP00003P004AO.zip

Description:

Outpost protects its files and forbids other applications to manipulate them. Files and directories in its installation directory are guarded by various SSDT hooks. However, the implementation of this protection does not prevent malicious applications to call native API ZwSetInformationFile class FileLinkInformation. Such calls can be used to replace files that are not used by the system when this function is called. One of vulnerable files in the Outpost installation directory is SandBox.sys, the driver that implements Outpost Self-Protection mechanisms. Attackers are able to replace this driver with a fake copy that will be loaded into the system after the next reboot. This can result in a complete system control because driver's code is executed in the privileged kernel mode. The fake driver can be implemented such that the user has no chance to notice the attack.

Vulnerable software:

Not vulnerable software:

Events:

References: