Outpost firewall can be circumvented
Security specialists Matousec have presented demonstration code which could be used to disable Outpost's self-protection and consequently the firewall itself. No update has yet been made available by Agnitum. Source code for the exploit has been provided - malware writers can simply copy it.
Outpost uses a kernel driver (sandbox.sys) which interacts with numerous system functions to deny access to its files by other programs. However, Agnitum has overlooked the ZwSetInformationFile function. This enables an attacker to replace files by directly calling this system function - including the driver sandbox.sys.
The source code given in the security advisory replaces sandbox.sys with a fake version of the driver, which does not engage with the Windows kernel functions. This deactivates Outpost's self protection when the system is rebooted. The installation folder can then be deleted almost completely, so that the firewall no longer operates.
The heise Security editorial team was able to utilise the demonstration exploit to disable Outpost 3.0.557.5918 and 4.0.1005.7229. It must be assumed that all intervening versions are also vulnerable. The code requires administrator privileges. Working from a user account with restricted privileges makes the attack more difficult.
- Outpost Bypassing Self-Protection using file links Vulnerability, security advisory from Matousec