VBootkit Bypasses Vista's Code Signing

An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."

Re:and in a related story...

[Sancho]

It's a story because of Vista's signing requirement for kernel drivers in x64. A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such. It is intended to give control back to the owner of the computer, and as such, physical access is neither an unreasonable requirement, nor an unreasonable expectation.

Re:and in a related story...

[Ferzerp]

Is there not an F8 boot option to load unsigned drivers?

a quick search says yes, and the flag can be set as the default behavior as well.

http://www.unofficialvista.com/article/204/install ing-unsigned-drivers-in-64-bit [unofficialvista.com]

Re:and in a related story...

[PhrostyMcByte]

The flag to set default behavior was disabled in RTM and iirc RC2. You can set it, but it has no effect.

Re:Is it just me that thought

[tftp]

As far as I know, one can legally install an evaluation copy of Vista, with a blank CD key, and evaluate it for some number of days. Then it expires.

Re:Looks like it

[PDXNerd]

My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.

Sooooooo..... What you're saying are that wide-spread exploitations [pcmag.com] of an animated cursor library flaw [slashdot.org] are things of the past? Thank science my Windows PC is safe from administrative privilege granting exploits, because the administrator can't disable things like automatic updates and code signing and junk! Sweet!!

Re:Looks like it

[Sancho]

Apparently, administrator cannot disable the code-signing requirement (at least, not on X64, which is what this article talks about). Although there has been talk of this as a possibility, the more I look, the more it appears that this was a pre-RTM setting which is now ignored.

Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory.

Re:and in a related story...

[J Isaksson]

This is untested by me since I don't run x64, but here is supposedly the Vista x64 RTM method for permanently disabling the driver signing requirement:

Start/Programs/Accessories
Right-click "command prompt" and select "run as administrator"
At the command prompt, type bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
Reboot!

In case you want to enable the driver signing requirement again:
bcdedit -deletevalue loadoptions

(Blatantly borrowed from http://www.teamxlink.co.uk/forum/viewtopic.php?t=2 0068&start=20 [teamxlink.co.uk])

Re:and in a related story...

[Spy Hunter]

Yes, but then Vista knows it's "tainted". It will refuse to run "protected media path" DRM, because it is supposed to protect such DRM against snooping by unsigned code. Memory-sniffing attacks such as those recently deployed on Windows XP against HD-DVD players are supposedly thwarted by Vista's "protected media path". This sounds like a backdoor to load unsigned code into the kernel without it being aware, giving you complete control over your own computer at all times, even when it is running PMP DRM crap.

It has been ... 'til Vista

[Opportunist]

Just because you have physical access to the machine doesn't mean the machine will do your bidding when you fire it up. It will still not run unsigned drivers, it will still not be under your control. Vista rewrote the laws of access, being administrator doesn't mean that you're root.