The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Antivirus: bypassing SSDT Hooking

Synthesis of the vulnerability 

When an antivirus redirects the SSDT to detect viruses, a local attacker can use an atomicity error, in order to bypass this protection.
Impacted products: Avast AV, CA Antivirus, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus Plus, Norton Internet Security, Panda AV, Panda Internet Security, Symantec AV.
Severity of this bulletin: 2/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 10/05/2010.
Revision date: 11/05/2010.
Références of this threat: CVE-2010-5151, CVE-2010-5152, CVE-2010-5154, CVE-2010-5156, CVE-2010-5161, CVE-2010-5163, CVE-2010-5166, CVE-2010-5167, CVE-2010-5168, CVE-2010-5171, CVE-2010-5172, CVE-2010-5177, CVE-2010-5179, VIGILANCE-VUL-9633.

Description of the vulnerability 

The SSDT table (System Service Descriptor Table) contains references of system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Antiviruses redirect entries of this table to verification functions. Several implementations check parameters, and then call the origin system call. However, between these two operations, a local attacker can change parameters of the system call. A attacker can therefore create a program using legitimate parameters, and then change them just before the system call.

When an antivirus redirects the SSDT to detect viruses, a local attacker can therefore use an atomicity error, in order to bypass this protection.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as Avast AV, CA Antivirus, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus Plus, Norton Internet Security, Panda AV, Panda Internet Security, Symantec AV.

Our Vigil@nce team determined that the severity of this vulnerability alert is medium.

The trust level is of type confirmed by a trusted third party, with an origin of user shell.

This bulletin is about 13 vulnerabilities.

An attacker with a expert ability can exploit this computer threat announce.

Solutions for this threat 

Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.