matousec.com (site map)

Poll

Is leak(test) protection important?

  Yes, of course! (82.35%)

  I think so. (4.94%)

  I do not know. (3.03%)

  I do not think so. (1.93%)

  No, not at all! (7.76%)

more

results

Advisory 2006-12-01.01

Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability

Basic information:


Release date: December 01, 2006

Last update: November 02, 2007

Severity:Critical

Character:Complete system control

Status:Fixed

Testing program: BTP00012P004AO.zip

Description:

The system process services.exe cares about system services. It runs them during the system boot and thus owns full access handles to all system services. Outpost protects all processes against common DLL injection and forbids other processes to manipulate its own service process. However, it does not protect services.exe against Advanced DLL injection that does not rely on writing into the target process memory. It is possible to infect services.exe with a malicious DLL and execute an arbitrary code in this system process. It is also possible to find and use its handle of the outpost.exe process to infect Outpost service process similarly. As a result, the attacker is able to inject an arbitrary code into the Outpost's process and thus bypass any of its security mechanisms.

Vulnerable software:

Not vulnerable software:

Events:

References: