Driver update for "ex-coat" vulnerability

[Frederic]

Hi All,

An update of lnsfw1 driver is available here:
http://looknstop.soft4ever.com/Beta/...FW1-3.05v2.zip

This is a response to the following advisory:
http://www.matousec.com/info/advisor...walls-HIPS.php

Regards,

Frederic

[Phant0m]

This driver is for those who running under 2K/XP for those who don’t know…

[farmerlee]

I noticed they tested the p2 version. Is this new driver also for p3?

I was surprised to see comodo listed there....

[Thomas M]

This must be a new driver, since otherwise Frederic would have posted the message in one of the above threats (like: "Sticky: 2.05p3 Package Available")

Can you please confirm, Frederic

Thank you,
Thomas

[Frederic]

Hi,

Yes, this driver is for Win2k/XP, it can be used on top of 2.05p2 or 2.05p3.
It can also be used under Vista (it is based on the Vista driver patch which is version 3.05v1, and this new one is 3.05v2).

It contains also the fix for the case sensitive issue about "Unknown"/"UNKNOWN" when an application parent name is not retrieved.

Frederic

[ubuntu]

Hi Frederic

When will you release a special Chinese beta driver which support GBK character set translation and fix "ex-coat" vulnerability ?

thanks

[Phant0m]

Today I thought I'd give this driver a go, after updating the driver and restarted Windows XP Home, upon Windows loading a crash happens and system is re-booted.

--
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f57b6443, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
lnsfw1+a443
f57b6443 0fbe11 movsx edx,byte ptr [ecx]

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: avast.setup

LAST_CONTROL_TRANSFER: from f57b8591 to f57b6443

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b965722c f57b8591 00000140 b9657433 829290b8 lnsfw1+0xa443
b965727c f57b8e7a 00000000 00000140 000007b8 lnsfw1+0xc591
b9657554 f57afa8e 00000000 829290b8 82c386e8 lnsfw1+0xce7a
b96575b0 f57acd4c 82c06598 82929008 8292909c lnsfw1+0x3a8e
b965760c f57ad791 82c06598 82929008 8292909c lnsfw1+0xd4c
b965767c 804e37f7 82c064e0 82929008 82bea9f0 lnsfw1+0x1791
b965773c 805635e7 00000000 00000001 ffdff120 nt!IopfCallDriver+0x31
b96576f4 f76514fa 82bea9c0 82929008 829290c0 nt!ObpCaptureObjectCreateInformation+0x19c
b9657760 f7651a57 82bea9c0 82929008 829290c0 aswTdi+0x4fa
b96577cc 804e37f7 82bea908 82929008 82929008 aswTdi+0xa57
b96577dc 8057069a 82c70f00 82cfce64 b9657984 nt!IopfCallDriver+0x31
b96578bc 8056316c 82c70f18 00000000 82cfcdc0 nt!IopParseDevice+0xa58
b9657944 8056729a 00000000 b9657984 00000240 nt!ObpLookupObjectName+0x56a
b9657998 80570b73 00000000 00000000 c310e400 nt!ObOpenObjectByName+0xeb
b9657a14 80570c42 82cb0d08 02000000 b9657bb8 nt!IopCreateFile+0x407
b9657a70 f5745483 82cb0d08 02000000 b9657bb8 nt!IoCreateFile+0x8e
b9657c24 f574c2c7 82c6cfb8 82ccdf38 b9657c58 afd!AfdBind+0x2dc
b9657c34 804e37f7 82c77f18 82c31008 806ee2d0 afd!AfdDispatchDeviceControl+0x53
b9657c44 8056a101 82c310e4 82ec58a8 82c31008 nt!IopfCallDriver+0x31
b9657c58 80579a8a 82c77f18 82c31008 82ec58a8 nt!IopSynchronousServiceTail+0x60
b9657d00 8057bfa5 00000724 00000734 00000000 nt!IopXxxControlFile+0x611
b9657d34 804de7ec 00000724 00000734 00000000 nt!NtDeviceIoControlFile+0x2a
b9657d34 7c90eb94 00000724 00000734 00000000 nt!KiFastCallEntry+0xf8
0011f4cc 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
lnsfw1+a443
f57b6443 0fbe11 movsx edx,byte ptr [ecx]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: lnsfw1

IMAGE_NAME: lnsfw1.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45830a6b

SYMBOL_NAME: lnsfw1+a443

FAILURE_BUCKET_ID: 0xD1_lnsfw1+a443

BUCKET_ID: 0xD1_lnsfw1+a443

Followup: MachineOwner
---------

[Frederic]

Quote:

Originally Posted by ubuntu

Hi Frederic

When will you release a special Chinese beta driver which support GBK character set translation and fix "ex-coat" vulnerability ?

thanks

Here is the driver update for the Chinese version of the driver:
http://looknstop.soft4ever.com/Beta/...inese%20c4.zip

Thanks Ubuntu for the tests (which have revealed an issue).

Regards,

Frederic

[Frederic]

Quote:

Originally Posted by Phant0m

Today I thought I'd give this driver a go, after updating the driver and restarted Windows XP Home, upon Windows loading a crash happens and system is re-booted.

We actually encountered the same issue with Ubuntu on the chinese version of the driver.

After investigation, it appears the issue is applicable to the first version (non-chinese), as experienced by Phant0m.
So, an update of this driver fixing the issue (thanks Phant0m for the test) is available here:
http://looknstop.soft4ever.com/Beta/...FW1-3.05v3.zip

Regards,

Frederic

[Phant0m]

Frederic always quick to fixing bugs and issues; thanks Fred.

[Enig123]

There's a problem after upgrade to patch v3, which is that LnS now stops to check executable file CRC changes.

BTW, I'm under win2k3 standard 32-bit English version.

[Phant0m]

You absolutely right , no warnings for application changes

[Thomas M]

Yes, exactely: I updated to the latest Firefox & Thunderbird, and LnS did not alert me about the updated *.exe. Even more, I could not connect to anything with the updated Firefox.
So I went back to the old driver....

Thomas

[Frederic]

Hi,

Yes, I confirm this issue.
Working on it...

Frederic

[Frederic]

Here is an update:
http://looknstop.soft4ever.com/Beta/...FW1-3.05v4.zip
And for chinese character set:
http://looknstop.soft4ever.com/Beta/...inese%20c5.zip

Sorry for all these updates

Thanks Enig123 & Thomas for having reported the issue.

Regards,

Frederic

[halcyon]

Frederic, to confirm:

3.05v4 fixes the issue when "LnS did not alert me about the updated *.exe" ?

I can't find a changelog...

[Frederic]

Yes, this last update is supposed to fix that.

3.05v1 => First driver for vista (based on 3.05 from 2.05p3)
3.05v2 => First try for ex-coat detection
3.05v3 => Fixing the crash reported by Phant0m
3.05v4 => Fixing the problem for exe change no longer detected

Frederic

[Phant0m]

I had some spare time to waste; I decided to perform some runs with some of these leaktests available… Here they are a limited few;

• Copycat - Passes
• WallBreaker - Passes [3/4]
• PCAudit2 - Passes
• BreakOut v1 - NOT-TESTED
• BreakOut v3 - Passes
• Jumper - Passes
• PCFlank - Passes
• CPILSuite v1.0.0.1 - Passes
• CPIL – Passes
• DNSTesters - fails
• pcAudit v3.0.0.9 - fails
• pcAudit v6.3 – fails
• osfwbypass-demo - fails

Passes = Breached security, fails = Failure to breach security


Was the LNSFW1-3.05v4 enhanced (other than the ex-coat support, and some minor bug fixes introduced with the ex-coat support…) any differently from the 2.05p3 pre-bundled LNSFW1.sys driver that would reflects some other leaktests? Reason I ask because different firewall leaktests ratings are showing Look ‘n’ Stop v2.05p3 even with its highest settings failing some like… DNSTesters, PCAudit2, osfwbypass-demo while my thorough tests show just the opposite…

Little more information can be found available by visiting http://www.mntolympus.org/phpbb2/viewtopic.php?t=3709