Slashdot Mirror
VBootkit Bypasses Vista's Code Signing
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
It's a story because of Vista's signing requirement for kernel drivers in x64. A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such. It is intended to give control back to the owner of the computer, and as such, physical access is neither an unreasonable requirement, nor an unreasonable expectation.
Is there not an F8 boot option to load unsigned drivers?
l ing-unsigned-drivers-in-64-bit
a quick search says yes, and the flag can be set as the default behavior as well.
http://www.unofficialvista.com/article/204/instal
The flag to set default behavior was disabled in RTM and iirc RC2. You can set it, but it has no effect.
As far as I know, one can legally install an evaluation copy of Vista, with a blank CD key, and evaluate it for some number of days. Then it expires.
Sooooooo..... What you're saying are that wide-spread exploitations of an animated cursor library flaw are things of the past? Thank science my Windows PC is safe from administrative privilege granting exploits, because the administrator can't disable things like automatic updates and code signing and junk! Sweet!!
Apparently, administrator cannot disable the code-signing requirement (at least, not on X64, which is what this article talks about). Although there has been talk of this as a possibility, the more I look, the more it appears that this was a pre-RTM setting which is now ignored.
Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory.
This is untested by me since I don't run x64, but here is supposedly the Vista x64 RTM method for permanently disabling the driver signing requirement:
/set loadoptions DDISABLE_INTEGRITY_CHECKS
2 0068&start=20)
Start/Programs/Accessories
Right-click "command prompt" and select "run as administrator"
At the command prompt, type bcdedit
Reboot!
In case you want to enable the driver signing requirement again:
bcdedit -deletevalue loadoptions
(Blatantly borrowed from http://www.teamxlink.co.uk/forum/viewtopic.php?t=
Yes, but then Vista knows it's "tainted". It will refuse to run "protected media path" DRM, because it is supposed to protect such DRM against snooping by unsigned code. Memory-sniffing attacks such as those recently deployed on Windows XP against HD-DVD players are supposedly thwarted by Vista's "protected media path". This sounds like a backdoor to load unsigned code into the kernel without it being aware, giving you complete control over your own computer at all times, even when it is running PMP DRM crap.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Just because you have physical access to the machine doesn't mean the machine will do your bidding when you fire it up. It will still not run unsigned drivers, it will still not be under your control. Vista rewrote the laws of access, being administrator doesn't mean that you're root.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.