Reported January 3, 2003, by Jan Rutkowski.
Pedestal Software’s Integrity Protection Driver (IPD) 1.3 for Windows 2000.
A vulnerability in the IPD 1.3 for Windows 2000 can permit an attacker to bypass the driver’s kernel protection. Using Win2K's NtCreateSymbolicLinkObject() function, the attacker can bypass IPD protection by creating a symbolic link in the \?? object directory that points to \??\C:\winnt\system32\drivers.
The discoverer posted the following scenario as proof of concept:
Proof Of Concept
An attacker must find an entry in the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services registry subkey that describes a driver that isn't currently loaded. A default Windows 2000 installation contains several such entries (e.g., IpNat, which describes the ipnat.sys driver).
Then attacker then enters the following command:
$ subst X: C:\winnt\system32\drivers
The attacker can then replace C:\winnt\system32\drivers\ipnat.sys with the module of his or her choice, bypassing IPD protection of the \drivers directory:
$ copy badmodule.sys X:\ipnat.sys
Now, the attacker can insert his or her driver into the kernel:
$ net start ipnat
Pedestal Software has released Integrity Protection Driver 1.4, which isn't subject to this vulnerability.
Discovered by Jan K. Rutkowski.