Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Hacking Challenge Answered

Posted by ryuzaki0 on from the still-some-work-to-be-done dept.

debiansid writes "Microsoft's most secure Operating System yet has been compromised at the Black Hat hacker conference. We all know that Andrew Cushman, Microsoft's director of security outreach invited the Black Hats over to touch and feel Vista in order to showcase the superiority of this OS. Joanna Rutkowska, from Coseinc, a Singapore-based security firm, obliged and showed how it is possible to bypass security measures in Vista that prevents unsigned code from running with the help of a little software she calls the 'Blue Pill.'" To be fair, the hack was possible only when the target is in administrator mode rather than a limited user account.

22 of 388 comments (clear)

  1. Would they tell anyway? by Alcimedes · · Score: 4, Interesting

    So if you're a black hat and you've found a new, as yet undiscovered hole in Vista, would you really go running to MS to tell them all about it so they can patch it?

    Or would you keep it to yourself in hopes that the final release will still contain the hole so you can pwn millions of new adoptors?

    1. Re:Would they tell anyway? by twofidyKidd · · Score: 5, Interesting

      More interestingly, will MS actually patch it, even with complete knowledge of the hole? If it further delays Vista's release (because of potentially complex code organization, or other roadblock), they might not even bother until later.

      --


      Hades, PoD: Official Advocate
    2. Re:Would they tell anyway? by pedantic+bore · · Score: 4, Funny
      I'd try to trick them in to rewriting some crucial piece of the security infrastructure at the last possible minute. That way, I'd never run out of new holes to fine.

      Perhaps I'd do this by smiling and saying that the OS was so secure that I couldn't find anything wrong with it and recommending, no, begging that they ship it in exactly its current form.

      --
      Am I part of the core demographic for Swedish Fish?
    3. Re:Would they tell anyway? by ChronoReverse · · Score: 5, Informative

      Except it's already been patched.

      http://www.eweek.com/article2/0,1759,1999241,00.as p?kc=EWRSS03119TX1K0000594

    4. Re:Would they tell anyway? by rifftide · · Score: 5, Insightful

      Now this is really cynical - but they may have planned it this way. It looks like Vista may blow by even the latest (January 2007) deadline to resolve a raft of useability bugs, and this gives them the perfect cover to extend the ship date without looking totally inept. "We were ready to RTM at the end of 2006 but some late-breaking vulnerabilities were discovered, and we decided we couldn't take chances with the security of our customers' systems."

      This is not just a matter of losing face. If the Windows team blows the revised date by several months (say April or later) AND it ships what is considered to be a lackluster product, many people will start considering the Windows codebase as a sustaining mode project. They will assume that Microsoft is busy preparing a brand new code base (based on FreeBSD plus .NET and DirectX, let's say) to debut five years from now, and will work out a transition plan for Win32 apps. Windows will be a lame duck in the minds of both customers and MS engineers. Alternatives will be sought.

    5. Re:Would they tell anyway? by Anonymous Coward · · Score: 4, Interesting

      They won't patch it because they can't. The software is really quite clever--it uses the hardware-based virtualization capabilities in newer AMD processors to move the currently running operating system into a VM (on the fly--no reboot!). Everything looks the same to the OS (no intermediary drivers like with VMWare, Virtual PC, et. al.)

      The software doesn't rely on a vulnerability in the OS, but rather a feature of the hardware... it could be ported to Linux/BSD/whatever quite easily.

    6. Re:Would they tell anyway? by jd · · Score: 5, Interesting
      No, the Black Hat wouldn't tell them about the hole. Well, not per-se. Not if there was some way of tricking Microsoft into thinking it was fixed, whilst leaving the Black Hat a back-door into everybody's systems. One way to do this would be to try and persuade Microsoft that only a subset of the values that would break security are a problem. Social engineer both the fix and the buglist. That way, if the Black Hat is ever detected, there's a good chance Microsoft will deem it a fixed bug and blame the victim, rather than investigating further.


      One of the dangers in hiring or consulting Black Hats who are any good is that 99% of security is all about social engineering - both the defence and the offense. Because of this, it is utterly impossible to distinguish between someone actually securing your systems and merely persuading you they have done so. Grey Hats will have basically the same social engineering skills but are more likely to teach you what to avoid, than to use those skills against you. This is not to say that Black Hats will always work against you - that's bad for business. All you can say is that what makes someone a Black Hat as opposed to a Grey Hat is that they wouldn't be opposed to doing so, and you'll never know.


      Oh yeah - I mentioned the use of social engineering in the protection of a system. The defences in any system will always be breakable with enough time and effort, so the only truly secure system is one that can socially engineer the attacker into believing that they have either already succeeded long before they really have or that there's nothing alive and listening for them to attack. Under no circumstances should obscurity be used as a substitute for social engineering. Obscurity hides what is important except to an attacker who has figured the obscurity out - which means that it can be used against the defender far more effectively than against the attacker. Social engineering hides nothing, it merely helps someone to see what they want to see. Because it hides nothing, it cannot be used against you, the worst possible case is that it'll cease to be as effective.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Only works as an administrator but... by mcguiver · · Score: 5, Insightful

    show me the average home user who doesn't runs XP as administrator. Do they think that anything is going to change for Vista?

    1. Re:Only works as an administrator but... by twofidyKidd · · Score: 4, Funny

      I posted a similar comment mere seconds after yours. Bet I win with the most "redundant" down mods.

      --


      Hades, PoD: Official Advocate
    2. Re:Only works as an administrator but... by DrDitto · · Score: 4, Informative

      show me the average home user who doesn't runs XP as administrator. Do they think that anything is going to change for Vista?

      Yes, it is going to change for Vista. The default user will not have admin privileges.

    3. Re:Only works as an administrator but... by Reverend528 · · Score: 4, Insightful
      But they'll change that as soon as they need to install some drivers etc.

      Short term administrator usage to install a driver isn't that big of a threat. The real problem will be legacy applications that won't run without administrator priviledges. That's what keeps most people from running everything as a user.

      --
      Badass Resumes
    4. Re:Only works as an administrator but... by tcc3 · · Score: 5, Insightful

      Legacy apps my ass. I've seen plenty of new, professional grade software that is hamstrung by user level permissions. Sometimes Power User wont even satisy. Sloppy development is a big problem.

      You shouldnt be allowed to say "NT/2k/Xp compatible" if your software cant correctly handle user permissions.

  3. To be fair to MS by walnutmon · · Score: 5, Insightful

    This article is a little slanted towards, "MS said you can't get into their OP, and black hats said, 'bitch please!'". But really, MS probably expected this, and was hoping that they could learn something from watching a collection of hackers test their system. The more problems that are caught now, the less when it is released.

    Microsoft doesn't care about impressing Linux users, they care about releasing something that A LOT of normal users can install and forget about. Every iteration they get more stuff right, and their operating system becomes better (except ME, that sucked dick).

    --
    You take it, I don't want it...
    1. Re:To be fair to MS by Anonymous Coward · · Score: 5, Funny

      except ME, that sucked dick.

      once again, we're reminded of the importance of proper comma placement.

  4. question by spykemail · · Score: 5, Interesting

    The real question is: will elevating oneself to administrator become common practice or not? If admin land stay reserved for the likes of Slashdot, then problems like this will probably be greatly reduced. But that assumes that the difficulty in setting up an admin account isn't worth it for most people.

    --
    Haiku for you!
    1. Re:question by morgan_greywolf · · Score: 4, Insightful
      The real question is: will elevating oneself to administrator become common practice or not?


      That depends on how many legacy programs require Administrator priveleges to even run. (Hint: a lot)
      --
      My blog
  5. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  6. Re:MS Support calls by SEMW · · Score: 5, Informative

    By default, the true administrator account is hidden and disabled by default. Most people won't even know it's there, and you have to go through a rigmarole to enable it if you really want it (these a how-to guide at http://www.computerworld.com/action/article.do?com [computerworld.com] mand=viewArticleBasic&articleId=9001970). The "administrator" account that Vista creates by default is actually a standard user that can temporarily elevate to admin privelages on a task-by-task basis. It pops up a dialogue box like http://www.winsupersite.com/images/showcase/winvis ta_ff_uac_13.jpg, letting you press a big button that says 'allow' if you know it's something you initiated (e.g. you're trying to install something). You don't need to logout and relogin.

    --
    What's purple and commutes? An Abelian grape.
  7. Re:MS Support calls by ChronoReverse · · Score: 5, Informative

    This is the way it works:

    You can either be a limited user or an "administrator". By default in the current beta you're an "administrator".

    What this means is that everytime an action is undertaken that actually requires administrative rights, Vista will pop up a dialogue (a la security warnings in Internet Explorer) and make sure you really wanted to do that. If you think this would be annoying (and would just train users to click yes) let me tell you that it was actually worse in Beta1.

    There it popped up ALL the time and even if a background task does something that requires it, the entire system would stop and pop up the dialogue. At least now it'll just block and wait for you to notice the new task button and deal with it.

    If you're on a limited account, you'll have to run whatever it was you were trying to run with the context menu "Run as admin" item. Then you'll have to type the admin password. Then when the program does something that actually requires the rights, it may or may not pop up the UAC dialogue.


    At least MS is putting hoops for us to jump through.

  8. Missing the point about "Blue Pill" by etresoft · · Score: 5, Interesting
    People hack a MacBook using 3rd party hardware and software that they won't reveal, then claim the hack would also work on hardware they didn't demonstrate, then claim Apple "leaned on them" to keep the details secret. Suddenly, Macs have no more security. TFA didn't go into enough detail about the "Blue Pill". It wasn't really a hack in the same sense. It was a proof-of-concept to insert a rootkit into an x64-based OS without hacking. To quote the original author,
    I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform.
    People aren't worried about how to hack into Vista, they are working on brand new exploitation architectures using Vista. I have read elsewhere where Vista appears to have a TCP/IP stack designed from scratch. It includes all new implementations of the bugs that have been fixed over the past 15 years in all the other OSes.
  9. Re:Ok, so the machine was in Admin mode... by OverflowingBitBucket · · Score: 4, Insightful

    That's because they have to run as a member of the Administrators group in order to do fairly mundane tasks like install software or make use of otherwise-mundane consumer hardware.

    Bingo.

    I've tried, I've tried so hard to get my family to run using user-level accounts. It doesn't work. I don't live with them, so at least one needs an account with Admin rights. The others get the password (usually by asking), and then reelevate themselves. They aren't doing it to spite me. When some games won't run without admin, they can't burn CDs, so forth, they will find a way to make it work. Security? What's that? They don't care. If they can't play games, or burn CDs, they don't care about security.

    I know it is nice and easy to blame developers. True, they should do better. Heck, the first two release versions of my software didn't run properly as a user under Windows either (be gentle, I didn't have XP then). But if you want developers to behave, it has to cost them if they don't. The admin-by-default situation in Windows is ludicrous. They took a step in the right direction with user accounts in XP, but with the default installation forcing the first user account to be admin, and then not letting you de-admin the account, makes the step almost pointless.

    When default users run as an ordinary user with a pretty graphical sudo, and the OS blocks running apps as administrator without some sort of painful confirmation process (eg. whitelist), and developers have access to decent commandline or API sudo and security equivalents, then developers will behave and make damn sure their app runs as an ordinary user.

    Legacy apps will break unless some sort of layer is put in to make it look like the app does have arbitrary permissions to do fun stuff like write into its installation directory or the top level of a drive. I've heard Vista does some of this funky stuff (I'd check if the a__holes at Microsoft actually let me get their beta version of Vista- another story), which I hope is true.

    Microsoft got themselves into this mess and they have nobody to blame but themselves (despite the way they love to blame third parties for their sloppy OS). They can dig their way out if they choose. It won't be easy, but give them a decade and they'll be where Unix was a decade ago. ;) Perhaps Vista will be another step in the right direction. Or maybe it will be another case of dialog overkill that does nothing for true security. Who knows?

    Personally I'm not too stressed one way or the other. I don't use Windows unless I absolutely must, and whilst it is a worm-ridden crash-prone security nightmare it does mean there will be work available to clean up the mess. The target market of my software mostly runs on Windows though, so I do have to keep aware of what is going on. It would be nice if they cleaned up their act, as it makes my work easier.

  10. You are all missing the point by Myria · · Score: 4, Informative

    This is about x64 driver signing. In Vista 64, drivers *cannot* run if they are not signed by a corporation who has paid the "VeriSign Tax" *. Even if the administrator requests it, they will not run. This is retarded "security", and it will keep being broken until Microsoft either gives up or forces everyone to have TPM bootup (more likely the latter).

    It infuriates developers, yet doesn't do anything for preventing rootkits, as Joanna has demonstrated. As long as user-mode programs have raw disk access, they will be able to attack whatever they want.

    I have a feeling that Microsoft's response to this will be to lock out raw disk access to user mode regardless of privilege. Keep in mind that even SELinux does not do this. All disk utilities would have to be written as signed drivers. The problem here is that developers won't stand for it, and will make signed drivers that grant access again. Then the rootkits can just copy these signed drivers then use them to do the same thing.

    Even if Microsoft encrypts the page file or removes the ability for the kernel to page itself out, raw disk access is still an issue. You can always open \Device\Harddisk0\Partition0 (NT's /dev/hda) and overwrite the MBR, then call NtShutdownSystem to reboot. If you take away raw disk access to user mode, then you get more esoteric. Detect when a blank CD or DVD has been inserted. When the user requests to burn it, intercept the write request and burn something else instead. Act like a system crash and reboot after it's done. Most computers are configured by default to boot from CD first.

    The real reason for driver signing appears to be DRM. The easiest way to "crack" song DRM is to install a fake audio driver that logs to disk. With the DMCA, it's illegal to make such a driver, and with driver signing, it's impossible to do it anonymously. If you temporarily disable driver signing - which is possible if you press F8 each boot - Vista's Windows Media Player refuses to play protected songs. Gee I wonder why.

    By the way, I thought of the same pagefile hack as Joanna on my own and posted it on my weblog in early June. I'm sure Joanna figured it out long before me though.

    * There are other root certificate companies that are countersigned, but this is a well-known phrase.

    Melissa

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager