From root kit to boot kit: Vista's code signing compromised
At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read. In a demonstration, the "boot kit" managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista RC2 (build 5744), even without a Microsoft signature.
Experts say that the fundamental problem that this highlights is that every stage in Vista's booting process works on blind faith that everything prior to it ran cleanly. The boot kit is therefore able to copy itself into the memory image even before Vista has booted and capture interrupt 13, which operating systems use for read access to sectors of hard drives, among other things.
As soon as the NT Boot sector loads Bootmgr.exe, VBootkit patches the security queries that ensure integrity and copies itself into an unused area of memory. Something similar is done with the subsequent boot stages of Winload.exe and NTOSKrnl.exe so that the boot kit is running in the background when the system is finally booted; at no time are Vista's new security mechanisms, which were intended to prevent unsigned code from being executed with kernel privileges, set off.
Nitin and Vipin Kumar told heise Security in an interview that this approach would also work on Vista Final (build 6000). They said that the only thing that stopped them from subsequently porting their kit to the final version of Vista was the cost. In their presentation, the experts also showed the detailed results of their analysis of Vista's booting process.
A very time-consuming debugging process using the Bochs PC emulator was required to determine the memory areas and checksums that have to be patched because they are different with every Vista build. The two Indian experts said that it took them several weeks to go through all of the individual steps in the booting process the first time. They feel that, based on analysis, VBootkit would easily be able to patch, for instance, signed drivers on the fly and get around integrity checks. And since it runs with kernel privileges, it could in principle do everything the kernel can.
For example, it might also be possible to get access to HD video content protected by DRM on the path between the data carrier and the video card. Like the attack against Cisco NAC that was also presented at the Black Hat Conference, VBootkit makes it clear that those who control hardware ultimately also control the software that runs on it. The two experts remind everyone that although Microsoft is able to raise the bar higher for boot kits by adding on additional queries and increasingly clever algorithms, the only way completely to stop unsigned program code from being executed is by using TPM hardware. See also:
- Vista's DRM allegedly cracked, report at heise Security
- Vbootkit: Compromising Windows Vista Security, notes on the VBootkit presentations