PDA

Bekijk Volledige Versie : Pedestal Software Security Notice



Keith Woodard
03/01/03, 22:12
Product: Integrity Protection Driver (IPD)
Version: 1.3 and earlier
Subject: New Integrity Protection Driver (IPD) Available
Date: January 3, 2003
Solution: Upgrade to version 1.4

SUMMARY

The Integrity Protection Driver (IPD) is an open source kernel
driver for Windows NT and Windows 2000 that attempts to provide
integrity to the Windows kernel by blocking kernel-altering
device drivers, such as rootkits, from changing normal kernel
function.

A new version of the IPD has been released that corrects a
vulnerability that circumvents the driver's protection.

More information about the IPD, including its open source license,
can be found at:

http://www.pedestalsoftware.com/intact/ipd

DETAILS

Phrack 59-16 provides sample code for circumventing the IPD using
a kernel function, NtCreateSymbolicLinkObject and mapping a new
name to \Device\PhysicalMemory. This specific use of
NtCreateSymbolicLinkObject was fixed in version 1.3 of the
IPD. However, Jan Rutkowski recently discovered that the same
function can be used to map a directory to a drive letter through
the use of the subst command. This could be used by a malicious
user to circumvent IPD's protection of driver files.

PATCH AVAILABILITY

Users of the IPD are urged to upgrade to the latest version.

The latest driver and source code may be downloaded from the
Pedestal Software web site at
http://www.pedestalsoftware.com/intact/ipd.

CREDITS

Thanks to Jan Rutkowski <jkrutkowski@elka.pw.edu.pl> for
telling us about this new vulnerability.

Phrack 59-16 by crazylord <crazylord@minithins.net>
http://www.phrack.org/show.php?p=59&a=16

ABOUT PEDESTAL SOFTWARE

Founded in 1998, Pedestal Software is "enabling the next wave of
information security" by making the deployment, management, audit,
and control of a security policy efficient and cost effective.
The company is privately held and maintains its headquarters in
Newton, Massachusetts. For additional information, please visit
http://www.pedestalsoftware.com or contact us at (617) 928-5550.

DISCLAIMER

Pedestal Software is not responsible for the misuse of any of the
information provided on this website and/or through security
advisories. This advisory is a service to Pedestal Software
customers intended to promote secure installation and use of
Pedestal Software products.