Protection Bypass Vulnerability in Pedestal Software's Integrity Protection Driver for Windows 2000

Reported January 3, 2003, by Jan Rutkowski.





  • Pedestal Software’s Integrity Protection Driver (IPD) 1.3 for Windows 2000.



A vulnerability in the IPD 1.3 for Windows 2000 can permit an attacker to bypass the driver’s kernel protection. Using Win2K's NtCreateSymbolicLinkObject() function, the attacker can bypass IPD protection by creating a symbolic link in the \?? object directory that points to \??\C:\winnt\system32\drivers.




The discoverer posted the following scenario as proof of concept:


Proof Of Concept


An attacker must find an entry in the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services registry subkey that describes a driver that isn't currently loaded. A default Windows 2000 installation contains several such entries (e.g., IpNat, which describes the ipnat.sys driver).


Then attacker then enters the following command:


$ subst X: C:\winnt\system32\drivers


The attacker can then replace C:\winnt\system32\drivers\ipnat.sys with the module of his or her choice, bypassing IPD protection of the \drivers directory:


$ copy badmodule.sys X:\ipnat.sys


Now, the attacker can insert his or her driver into the kernel:


$ net start ipnat




Pedestal Software has released Integrity Protection Driver 1.4, which isn't subject to this vulnerability.



Discovered by Jan K. Rutkowski.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.