Vulnerability Name:

CVE-2007-4970 (CCN-36667)

Assigned:2007-09-18
Published:2007-09-18
Updated:2018-10-15
Summary:ProcessGuard 3.410 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via kernel SSDT hooks for Windows Native API functions including (1) NtCreateFile, (2) NtCreateKey, (3) NtDeleteValueKey, (4) NtOpenFile, (5) NtOpenKey, and (6) NtSetValueKey.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
6.1 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: BugTraq Mailing List, Tue Sep 18 2007 - 11:26:12 CDT
Plague in (security) software drivers & BSDOhook utility

Source: MITRE
Type: CNA
CVE-2007-4967

Source: MITRE
Type: CNA
CVE-2007-4968

Source: MITRE
Type: CNA
CVE-2007-4969

Source: MITRE
Type: CNA
CVE-2007-4970

Source: MITRE
Type: CNA
CVE-2007-4971

Source: MITRE
Type: CNA
CVE-2007-4972

Source: MITRE
Type: CNA
CVE-2007-5039

Source: MITRE
Type: CNA
CVE-2007-5040

Source: MITRE
Type: CNA
CVE-2007-5041

Source: MITRE
Type: CNA
CVE-2007-5042

Source: MITRE
Type: CNA
CVE-2007-5043

Source: MITRE
Type: CNA
CVE-2007-5044

Source: MITRE
Type: CNA
CVE-2007-5047

Source: OSVDB
Type: UNKNOWN
45954

Source: CCN
Type: Outpost Firewall PRO Web site
Outpost Firewall PRO - Personal Firewall

Source: CCN
Type: ProcessGaurd Web site
Rootkit protection, stop the worst spyware trojans. DiamondCS ProcessGuard rootkit prevention

Source: CCN
Type: G DATA InternetSecurity 2007 Web site
G Data Software AG

Source: CCN
Type: Ghost Security Suite Web site
Ghost Security - Security Software, Freeware and Shareware

Source: CCN
Type: Kaspersky Internet Security Web site
Antivirus Software: Kaspersky Lab - Protection Against CrimeWare

Source: CCN
Type: MatouSec Transparent Security Advisory 2007-09-18.01
Plague in (security) software drivers [SSDT hooking]

Source: MISC
Type: UNKNOWN
http://www.matousec.com/info/advisories/plague-in-security-software-drivers.php

Source: CCN
Type: MatouSec Transparent Security Web site
Plague in (security) software drivers

Source: MISC
Type: UNKNOWN
http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php

Source: CCN
Type: RegMon Web site
RegMon for Windows v7.04

Source: CCN
Type: Process Monitor Web site
Process Monitor v1.22

Source: CCN
Type: OSVDB ID: 37990
Kaspersky Multiple Products Multiple SSDT Functions Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45895
Ghost Security Suite SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45896
G DATA InternetSecurity SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45897
Symantec Norton Internet Security SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45898
ZoneAlarm Pro SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45899
Outpost Firewall Pro SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45951
Online Armor Personal Firewall SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45952
Privatefirewall SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45953
Process Monitor SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45954
ProcessGuard SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45956
ProSecurity SSDT Hooks Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 45957
RegMon SSDT Hooks Local Privilege Escalation

Source: CCN
Type: ProSecurity Web site
Prosecurity -- New&Proactive HIPS

Source: BUGTRAQ
Type: UNKNOWN
20070918 Plague in (security) software drivers & BSDOhook utility

Source: CCN
Type: BID-25705
G DATA Internet Security SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: BID-25709
Ghost Security Suite SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: BID-25711
Online Armor Personal Firewall SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: BID-25712
Privatefirewall SSDT Hooks Multiple Local Vulnerabilities

Source: BID
Type: UNKNOWN
25714

Source: CCN
Type: BID-25714
DiamondCS ProcessGuard SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: BID-25718
ProSecurity SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: BID-25719
Microsoft Process Monitor SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: BID-25721
Microsoft RegMon SSDT Hooks Multiple Local Vulnerabilities

Source: CCN
Type: Norton Internet Security 2008 Web site
Norton Internet Security : Anti Virus Software - Anti Spyware

Source: CCN
Type: Online Armor Security Suite Web site
Online Armor - Home

Source: CCN
Type: ZoneAlarm Pro Web site
ZoneAlarm by Check Point - Award winning PC Protection, Antivirus, Firewall, Anti-Spyware, Identity Protection, and much more.

Source: XF
Type: UNKNOWN
firewall-ssdt-privilege-escalation(36667)

Source: CCN
Type: Privatefirewall Web site
Privatefirewall

Vulnerable Configuration:Configuration 1:
  • cpe:/a:diamondcs:processguard:3.410:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:iss_blackice_pc_protection:3.6:*:*:*:*:*:*:*
  • OR cpe:/a:isecsoft:prosecurity:1.40_beta_2:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_internet_security:2008:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    diamondcs processguard 3.410
    ibm iss blackice pc protection 3.6
    isecsoft prosecurity 1.40_beta_2
    symantec norton internet security 2008