Protection Bypass Vulnerability in Pedestal Software's Integrity Protection Driver for Windows 2000

Reported January 3, 2003, by Jan Rutkowski.

 

 

VERSIONS AFFECTED

 

  • Pedestal Software’s Integrity Protection Driver (IPD) 1.3 for Windows 2000.

 

DESCRIPTION

A vulnerability in the IPD 1.3 for Windows 2000 can permit an attacker to bypass the driver’s kernel protection. Using Win2K's NtCreateSymbolicLinkObject() function, the attacker can bypass IPD protection by creating a symbolic link in the \?? object directory that points to \??\C:\winnt\system32\drivers.

 

DEMONSTRATION

 

The discoverer posted the following scenario as proof of concept:

 

Proof Of Concept

-----------------

An attacker must find an entry in the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services registry subkey that describes a driver that isn't currently loaded. A default Windows 2000 installation contains several such entries (e.g., IpNat, which describes the ipnat.sys driver).

 

Then attacker then enters the following command:

 

$ subst X: C:\winnt\system32\drivers

 

The attacker can then replace C:\winnt\system32\drivers\ipnat.sys with the module of his or her choice, bypassing IPD protection of the \drivers directory:

 

$ copy badmodule.sys X:\ipnat.sys

 

Now, the attacker can insert his or her driver into the kernel:

 

$ net start ipnat

 

VENDOR RESPONSE

 

Pedestal Software has released Integrity Protection Driver 1.4, which isn't subject to this vulnerability.

 

CREDIT

Discovered by Jan K. Rutkowski.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish