Vista code signing compromised

**Iphone** · 05-Apr-2007, 11:57 PM

At the Black Hat Conference in Amsterdam, two independent security experts demonstrated a new tool, called “Vboot Kit.” Vboot Kit is launched form a cd and boots Windows Vista, making instant and on they fly changes to memory and files being read. During their demonstration, Nitin and Vipin Kumar were able to boot Vista and issue commands to a CMD shell with Kernel privileges. They did this without the protection offered by a Microsoft signature.
Microsoft backs Digital signing as a method of security for Vista. “In Microsoft Windows Vista, new features take advantage of code-signing technologies, and new requirements for security in the operating system enforce the use of digital signatures for some kinds of code,” says Microsoft.
Microsoft lists, for example, “Administrator privilege is required to install unsigned kernel-mode components. This includes device drivers, filter drivers, services, and so on. This applies for all development phases, including pre-release product code and non-product code such as tests. Driver binaries that load at boot time must contain an embedded signature.” Each of those protections Vboot Kit removed.
The two researchers outlined their talk and the tool on the Black Hat website. “Vboot Kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. The booting process of windows Vista is substantially different from the earlier versions of Windows.”
While the tool still needs physical access to the computer the method and the premise of the talk was sound. Online, several security sites have agreed that the issue for concern is that in every stage of the booting process Vista works off blind faith. That is, it assumes everything prior ran cleanly and that there were not malicious edits. Vboot Kit copies itself into memory even before Vista boots, and that allows it to capture INT 13 (Interrupt 13). INT 13 is shorthand for interrupt 0x13. That is the twentieth interrupt vector in an x86 based computer system. INT 13 is used by operating systems to read and access sectors of the hard drive, as well as other system processes.
Based on their research, both Nitin and Vipin agree that Vboot Kit could potentially patch signed drivers, and circumvent integrity checks. Vboot Kit also runs with Kernel level authority, so it can do anything a Kernel can on Vista, which is everything.

05-Apr-2007, 11:57 PM	#1 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Vista code signing compromised At the Black Hat Conference in Amsterdam, two independent security experts demonstrated a new tool, called “Vboot Kit.” Vboot Kit is launched form a cd and boots Windows Vista, making instant and on they fly changes to memory and files being read. During their demonstration, Nitin and Vipin Kumar were able to boot Vista and issue commands to a CMD shell with Kernel privileges. They did this without the protection offered by a Microsoft signature. Microsoft backs Digital signing as a method of security for Vista. “In Microsoft Windows Vista, new features take advantage of code-signing technologies, and new requirements for security in the operating system enforce the use of digital signatures for some kinds of code,” says Microsoft. Microsoft lists, for example, “Administrator privilege is required to install unsigned kernel-mode components. This includes device drivers, filter drivers, services, and so on. This applies for all development phases, including pre-release product code and non-product code such as tests. Driver binaries that load at boot time must contain an embedded signature.” Each of those protections Vboot Kit removed. The two researchers outlined their talk and the tool on the Black Hat website. “Vboot Kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. The booting process of windows Vista is substantially different from the earlier versions of Windows.” While the tool still needs physical access to the computer the method and the premise of the talk was sound. Online, several security sites have agreed that the issue for concern is that in every stage of the booting process Vista works off blind faith. That is, it assumes everything prior ran cleanly and that there were not malicious edits. Vboot Kit copies itself into memory even before Vista boots, and that allows it to capture INT 13 (Interrupt 13). INT 13 is shorthand for interrupt 0x13. That is the twentieth interrupt vector in an x86 based computer system. INT 13 is used by operating systems to read and access sectors of the hard drive, as well as other system processes. Based on their research, both Nitin and Vipin agree that Vboot Kit could potentially patch signed drivers, and circumvent integrity checks. Vboot Kit also runs with Kernel level authority, so it can do anything a Kernel can on Vista, which is everything.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)