This is where the vulnerability lies. Programs can change the meaning of the parameters after they pass to hooked functions. If the change is made at just the right time—after the validation, but before they get sent to the original kernel function—the program can give the hook function data that it accepts, but then replace it with data that would be rejected. So, for example, it would make a call to NtTerminateProcess with a reference to a harmless process, and then quickly replace the reference with one to the security software itself. The hook would see the harmless process and permit the operation to continue, but the real kernel function would see the reference to the security software, and duly terminate it.
This requires careful timing on the part of the attacker. The replacement has to be made just at the right moment. Too soon, and the hook will attempt to validate the malicious parameters and reject the call. Too late, and the harmless data will already have been passed on to the real function. This might seem improbable, but it turns out that an attack specially written to target anti-virus and firewall software by using these hooks can successfully switch around its parameters after just a handful of attempts.
The researchers found exploitable versions of this vulnerability in every program they tested, including products from McAfee, Trend Micro, and Kaspersky. In fact, the researchers said that the only reason that they found exploits in only 34 products was that they only had time to test 34 products (Microsoft, for its part, believes that its security software is not affected, but is still investigating the issue). Many others may be vulnerable too. They also developed a toolkit dubbed KHOBE ("kernel hook bypassing engine") to allow the rapid detection and exploitation of such flaws.
Matousec initially believed the technique they were using to exploit the security software was newly discovered. After publication, however, they became aware that the basic technique was documented as a way of attacking Unix way back in 1996. A 2003 posting to security mailing list Bugtraq described using the same technique against Windows.
Διαβάστε τη συνέχεια εδώ.
Ο κόσμος το έχει τύμπανο και μεις κρυφό καμάρι. Είπαμε. Ότι κλειδώνει, ξεκλειδώνει. Αν πάλι θέλετε κάτι που είναι τρομερά δύσκολο να ξεκλειδώσει εδώ και τώρα ΑΠΛΑ κάντε κλικ εδώ. Ξεχάστε όλες τις ανοησίες που σας πουλάνε στην Windows βιομηχανία. Σταματήστε να είστε μπεεεε...
No comments:
Post a Comment