DiamondCS Process Guard protection service can be disabled

diamondcs-process-guard-disable-protection (16654) The risk level is classified as MediumMedium Risk

Description:

DiamondCS Process Guard could allow a local attacker to disable the DiamondCS Process Guard protection system, caused by a vulnerability in the implementation. A local attacker could write a malicious program directly to the '\device\physicalmemory\' to restore the Service Descriptor Table (SDT) ServiceTable that the kernel is running, which would disable the processes that provide protection.

Platforms Affected:

  • Diamond Computer Systems, DiamondCS Process Guard 2.000

Remedy:

Upgrade to the latest version of DiamondCS Process Guard, when it becomes available from the DiamondCS Process Guard Web page. See References.

As a workaround, do not run untrusted programs as an Administrator.

Consequences:

Bypass Security

References:

  • DiamondCS Process Guard Web page, DiamondCS Process Guard - Process Protection System for Windows at http://www.diamondcs.com.au/processguard/.
  • SIG^2 Vulnerability Research Advisory, DiamondCS Process Guard Can Be Disabled by Direct Service Table Restoration at http://www.security.org.sg/vuln/procguard.html.
  • BID-10675: DiamondCS Process Guard Service Description Table Restoration Vulnerability
  • CVE-2004-2477: DiamondCS Process Guard Free 2.000 allows local users to disable the process guard protection system by overwriting the current Service Descriptor Table (SDT) in \device\physicalmemory with the original SDT found in ntoskrnl.exe.
  • SA12033: DiamondCS Process Guard Protection Features Disabling Vulnerability
  • SECTRACK ID: 1010662: DiamondCS Process Guard Can Be Disabled By Local Users

Reported:

Jul 08, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page