Forgot your password?
typodupeerror
Microsoft Security

Researchers Show How To Take Control of Windows 7 325

Posted by CmdrTaco
from the hey-wait-a-minute dept.
alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)
This discussion has been archived. No new comments can be posted.

Researchers Show How To Take Control of Windows 7

Comments Filter:
  • by mc1138 (718275) on Thursday April 23, 2009 @12:23PM (#27689025) Homepage
    We hear about it all the time, laptops being stolen, left out, all with tons of sensitive data. Combine this with a lot of companies having very poor physical security this could be more than something to just write off.
    • Re: (Score:2, Insightful)

      by xmarkd400x (1120317)
      Your "problem" has already been solved. Encrypt the hard drive. Companies don't care about losing sensitive data other than the monetary and reputation loss. If you lose a hard drive with private info on it, you only have to report a "breach" if it's encrypted.

      Somebody with physical access can just use a boot CD and do what they want anyways.
      • by mhall119 (1035984) on Thursday April 23, 2009 @01:44PM (#27690643) Homepage Journal

        Even if you're using Windows to encrypt your hard drive, this exploit might still be effective. From the very few details in the article, it modified the Windows boot files in memory while it's booting. If they can do that, then they just wait for you to log in and decrypt your hard drive, and their tainted processes have access to all your data.

        • Re: (Score:3, Interesting)

          by afidel (530433)
          The only way to inject code during boot if you are using bitlocker would be to use a DMA controller to do the injection. Firewire ports are one of the few devices commonly found in a PC with a DMA controller that can be used in this manner.
        • Re: (Score:3, Interesting)

          by imemyself (757318)
          If you're using full disk encryption with BitLocker or TrueCrypt or something then I doubt this would be effective. With both BitLocker and TrueCrypt, the only things that can be loaded without decrypting the drive is the bootloader/BitLocker/TrueCrypt software that prompts for the password or key. Unless someone has found a vulnerability in the actual encryption software that's used, I don't think it would be vulnerable in that way.
    • Re: (Score:2, Interesting)

      by Lovedumplingx (245300)

      I was thinking that same thing.

      Sure it's not really much of a problem for the home user but for the businessman/government worker who travels and leaves his laptop or has it stolen this means that the data on that machine will be compromised.

    • by Rayeth (1335201)
      Also isn't an axiom of computer security that if someone can get physical access to your machine there is pretty much no software in the world that can stop them? Its all well and good to encrypt, but that won't help you if they remove the drive and have their beowulf cluster break your your RSA.
    • If someone has physical access to your computer, you've already lost. That's been the general rule for decades now. Even with a fully encrypted harddrive someone could install an inline usb key-logger and you would probably never notice it. Sensitive information should never go on a laptop and desktops should be physically secured. Anything else is 100% defeatable.

  • by Anonymous Coward

    If you got physical access already, it shouldn't be a surprise you can root the box.

    • by tepples (727027)

      If you got physical access already, it shouldn't be a surprise you can root the box.

      Then why haven't TiVo DVRs, Linux boxes to which the user has physical access, been rooted?

      • by paroneayea (642895) on Thursday April 23, 2009 @01:08PM (#27689905) Homepage

        Linux boxes are rootable. They *should* be rootable. The only time they aren't are when you don't have control any more (because of DRM & etc). But then they are only Linux in as much as the Kernel goes, not as much as the kind of Linux that Linux users advocate. I've recovered a broken plenty of times by popping in a boot cd and chrooting it.

        The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

        • Re: (Score:3, Interesting)

          by blackest_k (761565)

          The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

          funny how this kind of thing comes up at an appropriate moment ubuntu 9.04 on a fresh install asks do you want to encrypt your home directory and it will be seamlessly decrypted when you use it.

          I thought about this, then decided against it, the risk of losing everything due to having it in an encrypted home folder out weighs the risk of my data being readable by someone having physical access to the machine. on the other hand having everything easily readable also doesn't appeal either so I compromised and

  • by Control-Z (321144) on Thursday April 23, 2009 @12:24PM (#27689037)

    If someone has physical control of the machine, all bets are off.

    • by MyDixieWrecked (548719) on Thursday April 23, 2009 @12:38PM (#27689345) Homepage Journal

      In today's Virtual world, physical access to the machine doesn't mean meatspace access. My company and several of my friend's companies are looking into virtualized desktops by using small desktop boxes and low-end PCs to connect to PCs in the datacenter over either RDP or other proprietary protocols.

      With the proliferation of cloud-based applications, it's only a matter of time before someone offers a browser-based virtual desktop in the cloud. Once someone hacks into some server up there, they have physical access to the machines for all intents and purposes.

      This is a very interesting threat from a virtual infrastructure security standpoint.

      • by vux984 (928602)

        This is a very interesting threat from a virtual infrastructure security standpoint.

        Not really. *ANY* physical-attack type threat is altered in the same way by virtualization.

        To obtain illicit 'physical' access to the virtual machine they have to compromise the host machine. If the host machine can't be hacked remotely, then the 'physical' virtual machine is essentially safe.

        And if the host machine CAN be compromised remotely, then the guests are hosed no matter what.

      • by DaveV1.0 (203135)

        My company and several of my friend's companies are looking into virtualized desktops by using small desktop boxes and low-end PCs to connect to PCs in the datacenter over either RDP or other proprietary protocols.

        In other words, you are going back to the old terminal/server model of computing. Welcome back to the age of Jive.

        • by drinkypoo (153816)

          In other words, you are going back to the old terminal/server model of computing. Welcome back to the age of Jive.

          Everything old becomes new again if you wait long enough. Actually, you apparently missed it when we all went back to the old session-processed, terminal/server model of computing. It's called the World Wide Web. GP can't go BACK to the past when we're all already there.

      • In today's Virtual world, physical access to the machine doesn't mean meatspace access.

        That's a very good point. I still don't think it means much in terms of comparisons, since most other OSes are similarly vulnerable if their boot sequence is alterable or their raw drives can be accessed, but yeah, that's worth bearing in mind.

      • Re: (Score:3, Insightful)

        by YesIAmAScript (886271)

        If you think accessing a machine through a browser is the same as having physical access "for all intents and purposes", then you aren't actually considering nearly enough intents and purposes.

        You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

        • Re: (Score:3, Informative)

          by vux984 (928602)

          You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

          You are thinking at the wrong level. You can't do that from inside the -guest-. But you CAN do it from the -host-. And you -can- potentially access the -host- remotely. After all, vmware server 2's administration for example is web based...

          So if you hire some company to allocate you a VM and you run Windows 7 on it. And I can get remote control of the HOST, I now effectively have physical access to YOUR W

    • by Lord Ender (156273) on Thursday April 23, 2009 @12:39PM (#27689393) Homepage

      Some disk encryption solutions, such as Checkpoint, rely on windows authentication to decrypt the disk. If this can be bypassed easily, it makes this disk encryption worthless.

      It was obvious to crypto pros that it is theoretically worthless, but this is a practical attack against it.

      Real disk encryption DOES protect them machine even with physical access. But "enterprise" software companies like Checkpoint sell snake-oil encryption quite well because engineers can "prove" it's flawed to management without a working exploit.

    • by greenguy (162630) <estebandido@noSPAM.gmail.com> on Thursday April 23, 2009 @12:47PM (#27689517) Homepage Journal

      OK, they're claiming that if they have physical access, they can take control while it boots.

      Sounds like they simply waited for it to finish booting. Ta-dah! They have control of it!

    • Not necessarily (Score:5, Interesting)

      by SpooForBrains (771537) on Thursday April 23, 2009 @12:58PM (#27689737)

      The standard method of securing the data on your machine, which is what's important, is to encrypt it. So even if someone rips open the box, takes out the disk and puts it in another machine, the data should be safe, assuming the encryption algorithm and the user authentication processes are secure.

      However, if this exploit allows them access to the operating system on the disk, and allows them to subvert the user authentication process to grant themselves access to a user's account, then the data is compromised.

      So this exploit may have an application, not as an attack vector for writing a propagating worm or virus, but as a means to gain access to otherwise secure data.

    • Yeah, much as I'd love to gloat, this is pretty meaningless. Even a remote rootkit wouldn't say much if they could fix it easily. Only a series of obvious flaws, negligently unpatched flaws, or fundamentally unfixable flaws are worth talking about.

    • If someone has physical control of the machine, all bets are off.

      Ah, apparently you've never heard of Phil Zimmerman or have ever seen a James Bond movie, have you?

      Point here is there is quite a bit that has and can be done even at the physical layer. Drive Encryption (PGP) is but one option, and given the track record of PGP, I'd say a pretty damn good one. TrueCrypt is a great free alternative too.

      And I for one am glad this was posted. Just helps enlighten everyone on the importance of good security practice regardless of how shiny and new the OS is.

      There are no foo

  • Who cares? (Score:5, Insightful)

    by Sj0 (472011) on Thursday April 23, 2009 @12:25PM (#27689045) Homepage Journal

    Rule 1 of computers is, if someone has physical access to your machine, it has already been compromised. I always design my security around this fact, and if a machine needs to be secure against attack, it will be physically secure.

    • by Andy Dodd (701)

      It is possible to design a machine that is secure even from someone who has physical access, but doing so is expensive and involves compromises in usability that normal users would never accept. (Of the "you no longer own your own machine" kind.)

      • by Sj0 (472011)

        Please elabourate. I can't think of any way you could use current technology to make a device that no attacker could access, given a sufficient amount of time and resources.

        • by tepples (727027)

          I can't think of any way you could use current technology to make a device that no attacker could access

          The BIOS is encrypted with a key stored in a PROM on the CPU, and the BIOS checks the digital signature of each file that it loads. Any piece of code without a certificate chain leading up to the platform publisher doesn't get executed.

          given a sufficient amount of time and resources.

          The expenditure of time and resources indicates 1. possession of cash and 2. intent to compromise a system, both of which make you more likely to extract a large award of damages from an attacker in a court of law.

          • by cayenne8 (626475)
            "The expenditure of time and resources indicates 1. possession of cash and 2. intent to compromise a system, both of which make you more likely to extract a large award of damages from an attacker in a court of law."

            Unless you are a three letter govt. agency.

        • Machine has only an ethernet port and a power port, no other ports exposed. Internally, machine has been potted with a material that chemically bonds to both IC plastic and soldermask, so that removing the material would physically damage both the PCB and components.

          Internal battery with >20 yr life monitors integrity of case panels in multiple redundant points, and arcs and melts flash if any disturbance is noted.

          So yeah, you're right. Given sufficient time and resources such a machine would be broken

        • bios password set
          bios to only boot of HDD
          secure OS
          grenade inside case to deal with physical tampering

          Alternatively FDE works well unless the computer is stolen while on (you may even be able to get some sort of card to wipe the ram using a battery when the case is opened)

      • by immakiku (777365)
        It's also a balancing act. I don't want everyone in my household to easily have access to my computer without knowing my password. Doesn't mean I expect my computer to be 100% screwdriver proof.
      • by TheLink (130905)
        If an attacker has physical access they can plant physical keyloggers, mikes, cams, sensors, etc in so many possible places it is NOT funny.

        Each key on a keyboard tends to make a distinct and different sound compared to other keys.

        So you can encrypt your drive for all you want, they can just copy everything, and then get your passphrase.

        Maybe if you need a hardware token, but be careful to ensure the attacker can't derive the final key used to decrypt the data e.g. if you use something on a usb drive you ha
    • Not really, full disk encryption along with BIOS security does provide a pretty good defense against attackers with physical access. Now granted if they are standing in your office I guess they could just beat you over the head with your motherboard until you tell them the password but....
  • To recap... (Score:2, Funny)

    by xmarkd400x (1120317)
    You need full, physical control of a computer running Windows 7 in order to get software access to it?
  • A hack! (Score:5, Insightful)

    by Anonymous Coward on Thursday April 23, 2009 @12:25PM (#27689057)

    This is barely a hack. I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!

  • Boot from Live CD? (Score:5, Insightful)

    by neilobremski (1344051) on Thursday April 23, 2009 @12:26PM (#27689071) Homepage
    If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing? I'm confused about how this is a vulnerability.
    • Re: (Score:3, Interesting)

      by rantingkitten (938138)
      I don't think their point was really about being able to control a machine to which you have physical access, because as you pointed out there are any number of ways to do that, on any operating system. But this is a little different -- you're not bypassing the OS somehow (as you would with a live CD, bootable USB, or whatever). Here, you're actually accessing boot files, which you shouldn't be able to do, and exploiting that. Also, they're pointing out that Microsoft makes idiotic assumptions -- like th
    • by Alsee (515537) on Thursday April 23, 2009 @01:27PM (#27690313) Homepage

      It's a 'vulnerability' in the sense that the idiots at Microsoft came up with this Trusted Computing notion that the computer is supposed to be secured against the owner'.

      Trusted Computing, Digital Rights Management, the new Windows model for the operating system, it is considered a 'vulnerability' if the owner is able to take control of his own computer. Of course the Trusted Computing party line, and the way this article was written, is to to call this anti-owner system a "security" system and to spin any attack on it as evil, but as virtually everyone here has already commented, this issue is about 'attacking' and gaining control over a computer you already physically control. And in general what 'attacker' already has physical control of the computer? The owner. An owner-attacker who wants to control his own computer, and override DRM or Trusted Computing lockouts against the owner. The entire new Windows driver model is that the owner is forbidden to run unapproved drivers, because such drivers could be used to break DRM or gain control of other Trusted Windows systems. If/when Windows does permit you to run unapproved drivers, it dumps you down into an unTrusted unprivileged state. As I recall, Windows Vista even locks you out of the entire Aero mode Aero interface if you try to load an unapproved driver.

      -

  • by drsmithy (35869) <drsmithyNO@SPAMgmail.com> on Thursday April 23, 2009 @12:26PM (#27689077)
    There's a rather important aspect of this that's not discussed - how does this code get onto the computer in the first place to be executed during boot ?
    • Re: (Score:3, Insightful)

      by Sockatume (732728)
      A bootable CD-ROM that then boots the OS while performing the in-memory patching required to make the machine vulnerable.
      • Re: (Score:2, Insightful)

        by Sicarul (1440309)
        If that's the case then it's as vulnerable as it would be if you let it boot any LiveCD, if booting from CD is disabled in the BIOS and it is protected by password this flaw isn't applicable... It isn't a serious flaw, how did this get to be a top story??
    • Re: (Score:3, Interesting)

      by amliebsch (724858)
      Another important piece of missing information: was BitLocker turned on? Did this defeat the full-disk encryption? THAT would be a story. Otherwise, BFD.
  • You need physical access to the machine. Cant be done remotely. So nothing new.
  • by gandhi_2 (1108023) on Thursday April 23, 2009 @12:27PM (#27689097) Homepage
    This is contrasted with Mac OSX which uses a combination of Gracie-style Brazilian Jiu Jitsu, Hapkido, and oratorical prowess to keep would-be haxors at bay while the police are enroute. Or the Linux lack of social skills which avoids "physical access" altogether.
  • Mindless bashing (Score:2, Insightful)

    by Anonymous Coward
    Im as anti-microsoft as the rest of you (at least the intelligent folk), but are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

    I would assume the only way to be immune against this type of attack would be encrypting the system partition, and a "bootkit" as they seem to be calling it that is aware of encryption may even be able to deal with that.

    Whats the story here again? That booting into a secondary OS gives you full control of data on an unen
    • by Svartalf (2997)

      Well, this one wires itself into the OS (In order to be useful, it kind of has to...)- so it'd be difficult to get a wide-spanning variant of this going, but a targeted one could actually zap any device in existence. You'd just have to target specific OSes in the x86 space, you'd have to figure out how to zap uboot and redboot stuff by remote, etc.

      While I'm not going to say that it'd be impossible (It's not and it IS serious...)- only X86 systems would be easily targetable but they'd have to have 3 or so c

  • i have no love of M$, but come on. if you have physcal access to a computer and at boot time no less you can do what ever the #@!! you want.

    if this is the biggest flaw redmond has in W7, that's not so bad.

  • Intersting idea. While the current version requires physical access, it doesn't strike me that one would need all that much to make it work via remote with a trojan or similar.

    Basically, it's a revisit of the boot-sector virus of old, which will prove to be an issue for just about any OS, most likely.

    • by DaveV1.0 (203135)

      Please explain in detail how one would make this work without physical access to the box.

  • by Sockatume (732728) on Thursday April 23, 2009 @12:31PM (#27689217)
    The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot. The attacker loads an app from a CD-ROM which then itself executes the normal Windows boot process while agressively patching software in memory. This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.
    • by rs232 (849320) on Thursday April 23, 2009 @12:48PM (#27689543)
      "The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"

      'The latest version of VBootkit includes the ability to remotely control [networkworld.com] the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'

      I thought BitLocker [wikipedia.org] was supposed to defend against such exploits if the boot sequence was altered?
      • by Sockatume (732728)
        The remote access and priviledge level exploits are only possible after VBootkit has been patched into memory. Bitlocker protects against patching the OS on the disk but I don't think it offers any protection against changing the OS contents, beyond the "user input" requirement for boot (either a PIN or a physical device, which this software may or may not be able to bypass).
      • by Sockatume (732728)
        I overlooked it, it's explained well below.
    • Re: (Score:3, Insightful)

      by vux984 (928602)

      This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

      Even that wouldn't matter, because the first thing I'd in-memory patch is the checksum algorithm to always return 'ok'.

      The only real way to resolve this would be a-la console style 'trusted computing, and digital signatures through the whole bios and bootstrap process'. Of course, even this could be 'hacked' or 'modchipped' but at least it wouldn't be as simple as just puttin

  • by RenHoek (101570)

    While uninteresting for worms, this is probably a nice way for pirates to hack Windows 7..

    I'm not sure if they have cracked it already or not, since I'm still on XP.

  • by furby076 (1461805) on Thursday April 23, 2009 @12:39PM (#27689367) Homepage

    'There's no fix for this. It cannot be fixed. It's a design problem,

    There is always a fix. Every vulnerability is a "design problem". Sometimes the code to fix it is a separate app (e.g. firewall, virus protection), and sometimes it requires modification to the code. There is always a fix in software - it's just a matter of making it.

    This guy stating there is no fix, it can't be fixed is making statements about as dumb as those who say their favorite OS (e.g. OS X) is immune from any virus/worms/hacks.

    • Re: (Score:3, Insightful)

      He is right there is no fix .... however the workarounds are pretty good ...

      If you are booting, then load the boot software at a random location, like they do with other programs once the system is running, and this hack will be *much* more difficult

      It's just that, as he says, Windows 7 assumes that during the boot process no user program can change things and it has complete control....

      If you are running in a virtual machine you *never* have complete control and so this will always work on any OS, but you

  • Misleading title (Score:3, Insightful)

    by tuxgeek (872962) on Thursday April 23, 2009 @12:43PM (#27689443)
    At first glance at the thread title, my first thought was pop a Linux CD into the drive and reboot
    Voila no more Win7
  • by DaveV1.0 (203135) on Thursday April 23, 2009 @12:52PM (#27689605) Journal

    Because you are a Microsoft hating troll

  • The reason (Score:5, Insightful)

    by kenp2002 (545495) on Thursday April 23, 2009 @12:53PM (#27689615) Homepage Journal

    ... the reason you are posting this article is to spread anti-microsoft hate and FUD for no reason.

    Why not post:

    With a gentoo install CD you can gain control of any linux system by overwriting key /etc/ files to give yourself root access unless you use encrypted drives...

    More useless propaganda from an MS-hater. I mean seriously, this is news? Next thing you'll post is the Windows 7 has a horrible exploit that crashes it every time you shoot the PC with a shot gun.

    Don't we have a NO FUD policy for articles?

    "Everyone is entitled to be stupid, but some abuse the privilege", as a result of this abuse, your Stupid License has been suspended for 60 days.

  • Oh my god, windows can be hacked! With physical access! THIS IS HUGE! WINDOWS SUCKS MICROFOSFT IS TEH DEVAL OOH NOES!!1!one
    Linux... Mac OS, Windows, ANYTHING... can be hacked with physical access. Period. If you have the time and the access there is no security beyond encryption and even that can eventually be defeated. This seems like just another lame "bash microsoft" post. Yeah you hate them, sure we know it. Get over it. They didn't become one of the largest software providers on earth by use of magic
  • by minsk (805035) on Thursday April 23, 2009 @01:02PM (#27689799)

    Everyone talking about this being irrelevant is missing the point. This attack does not make users significantly more vulnerable. Instead, it makes Windows more vulnerable to users.

    Hacking your own machine sounds laughable. But as long as vendors restrict usage, we need to keep reminding them that DRM is a fool's quest.

  • So these guys came up with a bootloader that screws with its child process (the OS), and they're calling that an exploit ? I guess "grub" would be considered an exploit too, by their chicken-little standards.

    These two Kumar clowns are really just shills for Trusted Computing, fear-mongering in exchange for a little kickback from the related fascist orgs.

  • " the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected."

    So this is basically great if you want to break into your girlfriends laptop to check her email?

    Can someone knowledgeable explain why this is news?

FORTRAN is for pipe stress freaks and crystallography weenies.

Working...