Vulnerability CVE-2006-6621 - CERT Civis.Net

Vulnerability Name:

CVE-2006-6621 (CCN-31060)

Assigned:

2006-12-15

Published:

2006-12-15

Updated:

2018-10-17

Summary:

Filseclab Personal Firewall 3.0.0.8686 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: CCN
Type: BugTraq Mailing List, Fri Dec 15 2006 - 12:42:11 CST
Bypassing process identification of several personal firewalls and HIPS

Source: MITRE
Type: CNA
CVE-2006-6618

Source: MITRE
Type: CNA
CVE-2006-6619

Source: MITRE
Type: CNA
CVE-2006-6620

Source: MITRE
Type: CNA
CVE-2006-6621

Source: MITRE
Type: CNA
CVE-2006-6622

Source: MITRE
Type: CNA
CVE-2006-6623

Source: MISC
Type: UNKNOWN
http://www.matousec.com/downloads/windows-personal-firewall-analysis/ex-coat.zip

Source: CCN
Type: Matousec Transparent Security Advisory 2006-12-15.01
Bypassing process identification of several personal firewalls and HIPS

Source: MISC
Type: Vendor Advisory
http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php

Source: CCN
Type: OSVDB ID: 33308
AntiHook Process Environment Block (PEB) Process Control Bypass

Source: CCN
Type: OSVDB ID: 33309
AVG Anti-Virus plus Firewall Process Environment Block (PEB) Process Control Bypass

Source: CCN
Type: OSVDB ID: 33310
Comodo Personal Firewall Process Environment Block (PEB) Process Control Bypass

Source: CCN
Type: OSVDB ID: 33311
Filseclab Personal Firewall Process Environment Block (PEB) Process Control Bypass

Source: CCN
Type: OSVDB ID: 33312
Soft4Ever Look 'n' Stop (LnS) Process Environment Block (PEB) Process Control Bypass

Source: CCN
Type: OSVDB ID: 33313
Sygate Personal Firewall Process Environment Block (PEB) Process Control Local Bypass

Source: BUGTRAQ
Type: UNKNOWN
20061215 Bypassing process identification of several personal firewalls and HIPS

Source: BID
Type: UNKNOWN
21615

Source: CCN
Type: BID-21615
Multiple Vendor Firewall HIPS Process Spoofing Vulnerability

Source: CCN
Type: Wilders Security Forums, December 15th, 2006, 04:19 PM
Driver update for "ex-coat" vulnerability

Source: XF
Type: UNKNOWN
multiple-firewall-peb-security-bypass(31060)

Vulnerable Configuration:

Configuration 1:

cpe:/a:avg:antivirus_plus_firewall:7.5.431:*:*:*:*:*:*:*

OR cpe:/a:comodo:comodo_personal_firewall:2.3.6.81:*:*:*:*:*:*:*

OR cpe:/a:filseclab:personal_firewall:3.0.8686:*:*:*:*:*:*:*

OR cpe:/a:infoprocess:antihook:3.0.23:*:*:*:*:*:*:*

OR cpe:/a:soft4ever:look_n_stop:2.05p2:*:*:*:*:*:*:*

OR cpe:/a:symantec:sygate_personal_firewall:5.6.2808:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:comodo:comodo_personal_firewall:2.3.6.81:*:*:*:*:*:*:*

Denotes that component is vulnerable