‘Windows Personal Firewall Analysis’

Summary

During Matousek security analyses of personal firewalls and other security-related software that uses SSDT hooking, Matousek found out that many vendors simply do not implement the hooks in a proper way. This allows local Denial of Service by unprivileged users or even privilege escalations exploits to be created. 100% of tested personal firewalls that implement SSDT hooks do or did suffer from this vulnerability! This article reviews the results of our testing and describes how a proper SSDT hook handler should be implemented. Matousek also introduced BSODhook – a handy tool for every developer that deals with SSDT hooks and a possible cure for the plague in today’s Windows drivers world.’

Credit:

‘The information has been provided by Matousec – Transparent security Research.
The original article can be found at: http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php


Details

Introduction
Hooking kernel functions by modifying the System Service Descriptor Table (SSDT) is a very popular method of implementation of additional security features and is used frequently by personal firewalls and other security and low-level software. Although undocumented and despised by Microsoft, this technique can be implemented in a correct and stable way. However, many software vendors do not follow the rules and recommendations for kernel-mode code writing and many drivers that implement SSDT hooking do not properly validate the parameters of the hooking functions.

Microsoft’s Common Driver Reliability Issues document describes the correct parameter checking and contains many important notes to problems related to writing Windows drivers. Many vendors of today’s software do not bother to read such documents and their implementations are thus vulnerable, and making the stable and trustworthy Windows kernel unreliable.

Parameters to SSDT function handlers are passed directly from user-mode and therefore must be checked before they are used. This article shows some incorrect implementations of SSDT hooking functions and describes how a proper validity check should be performed on various parameter types. To understand the following text, you will need some knowledge of Windows NT architecture. We do not cover a proper implementation of SSDT hooking techniques here. We focus on parameter validation problems. Some related and interesting information can be also found in Microsoft’s Memory Management: What Every Driver Writer Needs to Know document.’

Categories: Reviews