Channel Register

Original URL: http://www.channelregister.co.uk/2007/04/04/vbootkit/

Researchers unpick Vista kernel protection

By John Leyden
Published Wednesday 4th April 2007 19:01 GMT

Security researchers have found a way to subvert the load-up procedure for Windows Vista and bypass its code-signing security checks.

Indian researchers Nitin and Vipin Kumar of NV labs have developed a tool called VBoot kit (http://www.rootkit.com/newsread.php?newsid=671), a custom boot sector loader, which launches from a CD. Once loaded, the tool allows hackers to make system changes on pre-release versions of Vista, something that only Microsoft-signed code is supposed to be able to do.

Vista's booting process fails to check that every previously loaded component is kosher. The Kumar brothers exploited this design "feature" to craft their proof-of-concept code. VBoot kit can copy itself to a section of memory before Vista boots, so bypassing restrictions that should prevent unsigned code running with system (kernel) privileges.

The code, developed on a beta version of Vista, was demonstrated during a presentation (http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Kumar) at last week's Black Hat conference in Amsterdam.

Heise Security reports (http://www.heise-security.co.uk/news/87709) that a complex debugging process, involving finding the memory areas vBoot kit needed to load onto, was needed to get the exploit to work. Adapting the code to work on later versions of Vista would involve a similar, time-consuming process.

The attack does not lend itself immediately toward the creation of root kits that work on the final Vista build. Even so, the Kumars' work illustrates fundamental design weaknesses the researchers reckon can only be fully addressed by using TPM (Trusted Platform Module) hardware to stop unsigned program code from being executed. ®

© Copyright 2008