[21275] in bugtraq
Re: Vulnerability: CylantSecure
daemon@ATHENA.MIT.EDU (Timothy Lawless)
Mon Jul 2 02:49:15 2001
Date: Sat, 30 Jun 2001 12:32:52 -0400 (EDT)
From: Timothy Lawless <lawless@netdoor.com>
To: Juergen Pabel <juergen@pabel.net>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <20010629103829.8028.qmail@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0106301231080.3674-100000@pantheon.wwjh.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 29 Jun 2001, Juergen Pabel wrote:
-->Summary:
-->
-->CylantSecure is a kernel patch and system that analyses behavior and kills
-->programs that deviates from the "normal" system behaviour. The
-->vulnerability lies in the processessing delay that occurs between a process
-->violating some security rule and the actual killing of the process (a user
-->space analyser). By inserting a module (which in itself is a violation, but
-->due to the mentioned delay it suceeds) that reroutes function pointers the
-->system can effectively be disabled. The vulnerability exists in
-->CylantSecure 1.1 and earlier (the Cylant Team has been notified and is
-->working on a fix).
Attacks against the cylent secure kernel modules is a known issue.
I belive the first refrence I personally saw to such an attack
is describe in an article at:
http://www.securitynewsportal.com/article.php?sid=220
From the posting it seems that the anonymous poster was aware,
and took for granted the delayed detection.
-->
-->Attached is an exploit for this vulnerability.
-->
-->Juergen Pabel
-->juergen@pabel.net
-->
