Pedestal Software Security Notice

From: Keith Woodard (kwoodardat_private)
Date: Fri Jan 03 2003 - 11:39:01 PST

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:270-16] Updated pine packages available"

Previous message: Jan Rutkowski: "Another way to bypass Integrity Protection Driver ('subst' vuln)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Product:   Integrity Protection Driver (IPD)
Version:   1.3 and earlier
Subject:   New Integrity Protection Driver (IPD) Available
Date:      January 3, 2003
Solution:  Upgrade to version 1.4

SUMMARY

    The Integrity Protection Driver (IPD) is an open source kernel
    driver for Windows NT and Windows 2000 that attempts to provide
    integrity to the Windows kernel by blocking kernel-altering
    device drivers, such as rootkits, from changing normal kernel
    function.

    A new version of the IPD has been released that corrects a
    vulnerability that circumvents the driver's protection.

    More information about the IPD, including its open source license,
    can be found at:

        http://www.pedestalsoftware.com/intact/ipd

DETAILS

    Phrack 59-16 provides sample code for circumventing the IPD using
    a kernel function, NtCreateSymbolicLinkObject and mapping a new
    name to \Device\PhysicalMemory. This specific use of
    NtCreateSymbolicLinkObject was fixed in version 1.3 of the
    IPD. However, Jan Rutkowski recently discovered that the same
    function can be used to map a directory to a drive letter through
    the use of the subst command. This could be used by a malicious
    user to circumvent IPD's protection of driver files.

PATCH AVAILABILITY

    Users of the IPD are urged to upgrade to the latest version.

    The latest driver and source code may be downloaded from the
    Pedestal Software web site at
    http://www.pedestalsoftware.com/intact/ipd.

CREDITS

    Thanks to Jan Rutkowski <jkrutkowskiat_private> for
    telling us about this new vulnerability.

    Phrack 59-16 by crazylord <crazylordat_private>
    http://www.phrack.org/show.php?p=59&a=16

ABOUT PEDESTAL SOFTWARE

    Founded in 1998, Pedestal Software is "enabling the next wave of
    information security" by making the deployment, management, audit,
    and control of a security policy efficient and cost effective.
    The company is privately held and maintains its headquarters in
    Newton, Massachusetts. For additional information, please visit
    http://www.pedestalsoftware.com or contact us at (617) 928-5550.

DISCLAIMER

    Pedestal Software is not responsible for the misuse of any of the
    information provided on this website and/or through security
    advisories. This advisory is a service to Pedestal Software
    customers intended to promote secure installation and use of
    Pedestal Software products.

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:270-16] Updated pine packages available"
Previous message: Jan Rutkowski: "Another way to bypass Integrity Protection Driver ('subst' vuln)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:54:42 PST