VnutZ Domain
Copyright © 1996 - 2020 [Matthew Vea] - All Rights Reserved

2010-05-12
Featured Article

Multi-processing Permits Bypass of Security Software

[index] [1,305 page views]
Tagged As: Hacking and Security

Matousec has recently shaken up the security software industry with a paper and demonstration showing how to bypass (or kill) the products using nothing more than user-mode code. Called KHOBE, the program makes possible a vulnerability theorized back in the '90s by exploiting a race condition in parameters passing through Win32 / NT API hooks. Hooking is a method where code replaces pointer entries in the SSDT (System Service Descriptor Table) with its own pointers, allowing other functions to run "in the middle" between an application calling the API and the actual API's code being executed. It's a technique used for both good (anti-virus) and evil (rootkits). The attack in question utilizes the concurrency of multi-processing to allow parallel threads to modify parameter structures before they are processed by the real API. In essence, innocuous parameters are passed during the API call which gets intercepted by the hook but before the middleware passes the parameters on to the native API, a concurrent thread alters them back into a malicious version. As for which security products are vulnerable to their KHOBE, "the researchers said that the only reason that they found exploits in only 34 products was that they only had time to test 34 products."



More site content that might interest you:

"$50 dollar bills! $50 dollar bills!" ~ Data, the Goonies


Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!


Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.