<<< Date Index >>>     <<< Thread Index >>>

Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration




by Tan Chew Keong
Release Date: 02 Sep 2004 
Summary

Kerio Personal Firewall 4 (KPF4) is a state-of-the-art personal firewall that 
helps users restrict how their computers exchange data with other computers on 
the Internet or local network. KPF has an Application Security feature that 
allows the user to restrict the execution of programs on his system. KPF 
prevents malicious code from spawning processes on the user's system by 
prompting the user for action whenever an unknown/new or modified program is 
being executed. 

KPF's Application Security feature is implemented by hooking several native 
APIs in kernel-space by modifying entries within the SDT ServiceTable. This 
means that a malicious program can disable this security feature by restoring 
the running kernel's SDT ServiceTable with direct writes to 
\device\physicalmemory. This vulnerability affects only the execution 
protection feature of KPF4, the firewall feature of KPF4 remains intact. 

 
Tested System

Kerio Personal Firewall 4.0.16 on Win2K SP4, WinXP SP1,SP2.


 
Details

Kerio Personal Firewall's Application Security (execution protection) feature 
is implemented by hooking several native APIs in kernel-space. Hooking is 
performed by the module fwdrv.sys by replacing entries within the SDT 
ServiceTable. KPF prevents malicious code from spawning processes on the user's 
system by prompting the user for action whenever an unknown/new or modified 
program is being executed. 

More Details:

http://www.security.org.sg/vuln/kerio4016.html