Re: Vulnerability: CylantSecure

[Timothy Lawless <lawless () netdoor com>]

On Fri, 29 Jun 2001, Juergen Pabel wrote:

-->Summary:
-->
-->CylantSecure is a kernel patch and system that analyses behavior and kills
-->programs that deviates from the "normal" system behaviour. The
-->vulnerability lies in the processessing delay that occurs between a process
-->violating some security rule and the actual killing of the process (a user
-->space analyser). By inserting a module (which in itself is a violation, but
-->due to the mentioned delay it suceeds) that reroutes function pointers the
-->system can effectively be disabled. The vulnerability exists in
-->CylantSecure 1.1 and earlier (the Cylant Team has been notified and is
-->working on a fix).

Attacks against the cylent secure kernel modules is a known issue.

I belive the first refrence I personally saw to such an attack
is describe in an article at:
http://www.securitynewsportal.com/article.php?sid=220

> From the posting it seems that the anonymous poster was aware,
and took for granted the delayed detection.


-->
-->Attached is an exploit for this vulnerability.
-->
-->Juergen Pabel
-->juergen () pabel net
-->