Researchers Show How To Take Control of Windows 7 325
alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)
Attack requires editing RAM contents during boot (Score:5, Informative)
Why you are posting this (Score:4, Informative)
Because you are a Microsoft hating troll
Re:Boot from Live CD? (Score:4, Informative)
It's a 'vulnerability' in the sense that the idiots at Microsoft came up with this Trusted Computing notion that the computer is supposed to be secured against the owner'.
Trusted Computing, Digital Rights Management, the new Windows model for the operating system, it is considered a 'vulnerability' if the owner is able to take control of his own computer. Of course the Trusted Computing party line, and the way this article was written, is to to call this anti-owner system a "security" system and to spin any attack on it as evil, but as virtually everyone here has already commented, this issue is about 'attacking' and gaining control over a computer you already physically control. And in general what 'attacker' already has physical control of the computer? The owner. An owner-attacker who wants to control his own computer, and override DRM or Trusted Computing lockouts against the owner. The entire new Windows driver model is that the owner is forbidden to run unapproved drivers, because such drivers could be used to break DRM or gain control of other Trusted Windows systems. If/when Windows does permit you to run unapproved drivers, it dumps you down into an unTrusted unprivileged state. As I recall, Windows Vista even locks you out of the entire Aero mode Aero interface if you try to load an unapproved driver.
-
Re:I cannot believe it... (Score:2, Informative)
Re:Yes, why post this? (Score:3, Informative)
You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.
You are thinking at the wrong level. You can't do that from inside the -guest-. But you CAN do it from the -host-. And you -can- potentially access the -host- remotely. After all, vmware server 2's administration for example is web based...
So if you hire some company to allocate you a VM and you run Windows 7 on it. And I can get remote control of the HOST, I now effectively have physical access to YOUR Windows 7 VM. Including 'inserting a disk' (by mapping your CDrom to an iso image) as it boots, inorder to use this physical-access exploit.
Re:I cannot believe it... (Score:5, Informative)
I'll correct you a bit further -- there are different kinds of physical access. For instance, a public computer lab might have machines which have their case locked, both to prevent it from being opened and to prevent it from being locked down, BIOS locked and configured to boot only from hard disk, bootloader locked, etc.
On such a machine, there's really not a lot you can do to compromise it without some sort of actual software vulnerability or misconfiguration. You might be able to add a physical keylogger -- maybe -- depends how kiosk-ified it is.
However, this does not appear to be such an attack. Rather, it seems this is an attack which requires you to boot the machine off of some other media. Most machines are wide open to this in many ways -- the more frightening one was PXE; just plug a laptop into the same network and own every machine as it boots.
But Vista is not unique in this respect, and I cannot imagine how an OS could protect itself against such an attack. And even network boots can be secured, if you can add just a kernel and initrd to local storage.
Re:I cannot believe it... (Score:3, Informative)
My case came with one of those case locks. The manufacturer forgot to ship the key. Turned out the key to my luggage is about the same size and I was able to get into it in a few minutes. While there are probably more secure solutions than the one on my PC, picking a lock isn't much of a roadblock.
Re:Boot from Live CD? (Score:3, Informative)
If they did secure it, you can get the same end result WITHOUT HACKING it.
No, you can't.
The end result of this attack is a machine which is booted from the regular hard drive, in the user's usual account... but is *remotely* accessible.
So, in your typical office environment with fairly pathetic physical security, you could slip in at 5:00 a.m., boot someone's computer with this doohickey, then leave. When they get to work in the morning, they thing "Huh, thought I shut my machine down last night... oh well" and go on about their day. You capture every username and password they type, all the data they access... everything they do.
It's a niche exploit, but it's not *totally* useless.
Re:Attack requires editing RAM contents during boo (Score:2, Informative)
try leaving a bootable cd in a bitlockered system. vista wont boot with it in the drive. bitlocker is pretty tough
Re:Physical Security is a big issue (Score:3, Informative)
From what I've read, it verifies that the BIOS and MBR are untouched, but I haven't read that it checks what is in RAM. This exploit modified what is in RAM only.
It can also be installed without physical access (Score:2, Informative)
http://www.securityfocus.com/columnists/442/2 [securityfocus.com]
"How can an attacker deploy it?
Nitin & Vipin: An attacker doesn't need to install, that's the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting. After Vista boots, you can verify that you are running vbootkit, by checking the privilege of any running cmd.exe, the sample converts all low-privileged cmd.exe process to SYSTEM privileges. It also supports system compromise via PXE booting.
It doesn't need any privileges only physical access to the machine. It can also be installed to a remote system under some conditions (without physical access)."