CVE-2009-2450 – Online Armor < 3.5.0.12 - 'OAmon.sys' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-2450
The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online Armor Personal Firewall AV+ before 3.5.0.12, and Personal Firewall 3.5 before 3.5.0.14, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\OAmon containing arbitrary kernel addresses, as demonstrated using the 0x830020C3 IOCTL. El controlador del kernel OAmon.sys v 3.1.0.0 y anteriores en Tall Emu Online Armor Personal Firewall AV+ anterior a v3.5.0.12, y Personal Firewall 3.5 anterior a v3.5.0.14, permite a usuarios locales obtener privilegios a través de peticiones METHOD_NEITHER IOCTL modificadas a \Device\OAmon que contienen direcciones del kernel de su elección como se ha demostrado empleadon el IOCTL 0x830020C3. • https://www.exploit-db.com/exploits/8875 http://milw0rm.com/sploits/2009-OAmon_Exp.zip http://www.exploit-db.com/exploits/8875 http://www.ntinternals.org/ntiadv0806/ntiadv0806.html http://www.securityfocus.com/bid/35227 https://exchange.xforce.ibmcloud.com/vulnerabilities/50960 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2007-4967
https://notcve.org/view.php?id=CVE-2007-4967
Online Armor Personal Firewall 2.0.1.215 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via unspecified kernel SSDT hooks for Windows Native API functions including (1) NtAllocateVirtualMemory, (2) NtConnectPort, (3) NtCreateFile, (4) NtCreateKey, (5) NtCreatePort, (6) NtDeleteFile, (7) NtDeleteValueKey, (8) NtLoadKey, (9) NtOpenFile, (10) NtOpenProcess, (11) NtOpenThread, (12) NtResumeThread, (13) NtSetContextThread, (14) NtSetValueKey, (15) NtSuspendProcess, (16) NtSuspendThread, and (17) NtTerminateThread. Online Armor Personal Firewall 2.0.1.215 no valida adecuadamente ciertos parámetros a los manejadores de funciones de Tablas de Descripción de Servicios del Sistema (SSDT), lo cual permite a atacantes remotos provocar una denegación de servicio (caída) y posiblemente obtener privilegios mediante ganchos SSDT del núcleo para funciones de la API nativa de Windows entre las que se incluyen (1) NtAllocateVirtualMemory, (2) NtConnectPort, (3) NtCreateFile, (4) NtCreateKey, (5) NtCreatePort, (6) NtDeleteFile, (7) NtDeleteValueKey, (8) NtLoadKey, (9) NtOpenFile, (10) NtOpenProcess, (11) NtOpenThread, (12) NtResumeThread, (13) NtSetContextThread, (14) NtSetValueKey, (15) NtSuspendProcess, (16) NtSuspendThread, y (17) NtTerminateThread. • http://osvdb.org/45951 http://www.matousec.com/info/advisories/plague-in-security-software-drivers.php http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php http://www.securityfocus.com/archive/1/479830/100/0/threaded http://www.securityfocus.com/bid/25711 • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVE-2006-6619 – Multiple Vendor Firewall - HIPS Process Spoofing
https://notcve.org/view.php?id=CVE-2006-6619
AVG Anti-Virus plus Firewall 7.5.431 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. AVG Anti-Virus plus Firewall 7.5.431 depende del Process Environment Block (PEB) para la identificación de un proceso, el cual permite a usuarios locales evitar los controles del producto en el proceso mediante la simulación de los campos (1) ImagePathName, (2) CommandLine y(3) WindowTitle en el PEB • https://www.exploit-db.com/exploits/29287 http://www.matousec.com/downloads/windows-personal-firewall-analysis/ex-coat.zip http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php http://www.securityfocus.com/archive/1/454522/100/0/threaded http://www.securityfocus.com/bid/21615 •
CVE-2006-6622
https://notcve.org/view.php?id=CVE-2006-6622
Soft4Ever Look 'n' Stop (LnS) 2.05p2 before 20061215 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. Soft4Ever Look 'n' Stop (LnS) 2.05p2 en versiones anteriores a 20061215 depende del Process Environment Block (PEB) para la identificación de un proceso, el cual permite a usuarios locales evitar los controles del producto en el proceso mediante la simulación de los campos (1) ImagePathName, (2) CommandLine y(3) WindowTitle en el PEB. • http://www.matousec.com/downloads/windows-personal-firewall-analysis/ex-coat.zip http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php http://www.securityfocus.com/archive/1/454522/100/0/threaded http://www.securityfocus.com/bid/21615 http://www.wilderssecurity.com/showthread.php?t=158155 •
CVE-2006-6620
https://notcve.org/view.php?id=CVE-2006-6620
Comodo Personal Firewall 2.3.6.81 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. Comodo Personal Firewall 2.3.6.81 depende del Process Environment Block (PEB) para la identificación de un proceso, el cual permite a usuarios locales evitar los controles del producto en el proceso mediante la simulación de los campos (1) ImagePathName, (2) CommandLine y(3) WindowTitle en el PEB. • http://www.matousec.com/downloads/windows-personal-firewall-analysis/ex-coat.zip http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php http://www.securityfocus.com/archive/1/454522/100/0/threaded http://www.securityfocus.com/bid/21615 •