Slashdot Mirror
Vista Protected Processes Bypassed
Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."
I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?
All of this "security" is just crap if it can apparently be exploited so easily.
Can you imagine if companies actually recruited these people who were skilled enough to break their OSs? I know I've paid someone who hacked into my site, to find any further holes (fortunately they didnt!) and its far cheaper in the long run..
No, this feature is available only in Windows Vista.
At the moment these people are doing great work. Just take the promises MS made and see them being invalidated pice by pice!
The bottom line is that no matter what OS, competent system administration is essentlial. However MS makes system administration a lot harder, than it is on other systems.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
With that OS protected space in Windows ME?
I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
> Not only threatening Vista DRM and friends
The DRM in Vista is not intended to lock down your computer so that evil companies can control what you watch. This is impossible to do without a TPM chip. Microsoft knows this.
The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.
'Cracking' DRM is on about the same level as downloading illegal copies online. Useful in some cases (such as when you bought a DRM'd song by mistake and wish to play it on your MP3 player/iPod), but still illegal (in the US at least).
Now mod me down, Vista bashers!
I'll probably be modded down for this...
...to start considering Vista as an usable OS.
Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.
I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.
We are all just people.
He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.
not for long, I bet.
Stop Computers/Cars Analogies on S
yes, it would make a nice tool for you to administer your systems. or for anyone out there to "administer" for you.
We are all just people.
Ballmer, we told you before not to post here as an AC. Now you're late picking up Bill's dry cleaning, so stop dicking around and get back to work!
No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.
Do you really think so? Why would MS pay someone $300,000-500,000 when they have people who get $70,000 that could simply scan the code itself? They won't upset their current pay scales and pay grades to place "hackers" into their business units. For one, many of those "hackers" are hackers because they have a record of conduct that does not work in a normal business environment. Be it social, societal or other issues (potentially and not limited to criminal and trust issues). In fact, some people many not even be employable due to said activities due to security reasons.
Again, MS sure isn't going to hire a hacker who is paid more then their bosses and that is for sure.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
It's 7K, command line, and does only one job. Anyone could reverse this in their sleep.
no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.
Under the influence of Post-Cyberpunk Gonzo Journalism
Genuine Advantage seems to now benefit the bastards too.
Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...
Do you have ESP?
Outside of being forced to use it at work, at home it brings nothing of VALUE.
http://www.rense.com/general79/wdx1.htm
If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.
[alk]
Considering the executable is just about 6K and doesn't seem protected/compressed, reversing it ought to be fairly trivial. Try the demo version of IDA.
Belief is the currency of delusion.
VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.
Bill Gates wants more cheap labor to waste of useless software. What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?
all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.
by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.
Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.
In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. So SELinux already has "protected processes", but with a better security model.
If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.
So get off your old, tired, 20th Century horse and get with the new paradigm.
Just a suggestion of course.
Faster! Faster! Faster would be better!
What is not supposed to happen in "normal" circumstances, is that one process "accidently" accesses a part of memory not assinged to it. However plenty of programs work by doing this on purpose and as long as they behave, there is nothing wrong with it. It just so happens that trainers are a common example.
However typically with trainers, the user level is the same. There is no real problem with a trainer I run, modifying the memory of a program I am also running. It becomes more of a problem if user levels are not accepted (should I be able to read the memory of a program belonging to another user?).
In Vista/DRM case the problem is even more severe because there even processes belonging to you should still not be accesable to you. Why not? Well, because you are nasty mean piraty who steal the living from hard working people, you commie!
But no, traditionally OS'es do NOT protect process memory against deliberate snooping.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
> Why can XP and Windows 2000 play encrypted files?
The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...
I'll probably be modded down for this...
http://www.microsoft.com/whdc/system/vista/process _Vista.mspx
Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?
Processes can "inject threads" into other processes? Buhuh?
Here's apparently more of what processes can't do to Protected Processes do in Windows:
Inject a thread into a protected process
Access the virtual memory of a protected process
Debug an active protected process
Duplicate a handle from a protected process
Change the quota or working set of a protected process
So yer telling me, normal processes can do this to other normal processes in windows?
Irrespective of any kind of access restrictions on Linux, process memory space is a lot more sacrosanct. To even get the same level of process seperation would apparently require the setting of a lot of ACLs in windows, if it can be done at all.
The footnote at the end is the best though!
"Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. "
Please play nice with our restriction scheme!
I bet this is what our enterprising hacker has done.
Before MS sics their lawyers on me, the above quotes were used for the purposes of review.
The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...
Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.
Someone who cares should write out the compressed buffer and disassemble that.
Belief is the currency of delusion.
I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.
So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.
The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.
In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.
I do not respond to cowards. Especially anonymous ones.
I would like to see him do this in 64-bit.
32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.
Someone give him an internet!
I have been using ME for years without ANY problems with spyware or malware. Zip.
I still use ME for one and only one purpose, to play World Of Warcraft (incidentally WoW officially does not support ME, but it runs great). For all other things I use my linux box (and I use THAT competently as well).
Why am I not infected? Simple: I am a very competent user. I know how to configure my router and my system properly, and I know how to avoid doing the sorts of things that get a system compromised. ME was one of Microsoft's weakest releases...but when used intelligently it is quite solid and safe.
The problem is that Microsoft is trying to make the OS protect its users from their own incompetence. It is a noble idea, but it is doomed to failure. No matter how secure they make it, their users will fall victim to the socially-engineered exploits of malicious developers every time. Furthermore, the attempts made to protect the user from this will actually make it harder to fix the system after it has been compromised, and will make it harder for competent administrators to do their job.
Microsoft winds up with the worst of both worlds.
Computers are not like cars. The complexity that they represent cannot be neatly tucked away under the hood. I know that people would prefer to avoid dealing with this complexity (it is tedious and uninteresting to most people, and I sympathize), however, the reality of the situation is that computers are and will remain complicated. Those who don't learn the details are and will always remain a danger to themselves and to everyone on the net, despite Microsoft's best efforts.
True if it's actually your own code. If you find a security flaw in a widely owned product written by others, it's good net citizenship to explain it to said owners so that they can (hire others to) protect against it and make use of any implications that are in their favor. As it is, he is displaying a typical 1337 attitude. "Hahaha, I know how to compromise your system, but I am not going to tell you!".
It's not like debuggers couldn't have special privileges, instead of all processes having access rights to other programs memory space.
When you start a process, you start it with a certain set of privileges. If you're logged on as administrator, your calls to CreateProcess can start processes with a different set of privileges.
When you make a Windows API call to something like CreateRemoteThread, you need a handle to the process you're interested in. If the right security bits aren't set (and they get set by the call to CreateProcess), CreateRemoteThread returns unsuccessfully.
Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?
:(){
> I can't however understand why you would criticize Ionescu for enlightening us to the flaws in Vista's security/DRM strategy.
In which part of my post did I criticize Ionescu? I think his work is admirable, though I hardly find it surprising that a flaw was found in such a complex and new piece of software as Windows Vista. All complex software contains flaws.
I think that claiming that DRM is 'broken' is an overstatement. Its not broken, it still works fine. The security I accept needs more work, but the DRM works. It is a misleading summary.
I think you misunderstood me.
I'll probably be modded down for this...
Tell me Bill, which version of Vista are you referring to?
9 854
"We made it way harder for guys to do exploits," said Mr. Gates. "The number
[of exploits] will be way less because we've done some dramatic things
[to improve security] in the code base."
http://www.toptechnews.com/story.xhtml?story_id=4
boycott slashdot February 10th - 17th check out: altSlashdot.org
Apparently you haven't heard of ptrace() on Linux or vm_write() on OS X, which are more or less the equivalent of the operations in Windows.
Windows processes have access control lists like files do; you can't inject a DLL into winlogon.exe without LocalSystem ("root") access. Linux and OS X go by the associated UID; if the requesting UID is unequal and is not zero (root), the attempt is denied.
As for SELinux, many systems can get around the ptrace() lockout. Pipe a connection to gdb and have it do the dirty work on your behalf. Locking down what operations are allowed on a per-program basis rather than user privilege level is not a good way to secure a system. (Flagging a program as setuid root is somewhat different, and acceptable given a security model designed for it.)
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Malware is not annoying. It's downright hostile. Once untrusted code has run as administrator/root/system/whatever on your computer, it's the end of the game. You need to reinstall and never trust the compromised data again, as any competent security expert will tell you. Only the anti-malware corporations, unsurprisingly, tell you otherwise.
Personally this sounds like exactly what I've been looking for to get drivers that'll read my Ext3 partitions installed and loaded without all the Vista SDK nonsense required to get past the signing crap. If I'm scared of malware and virii, I'd use something by a company I trust and respect (Kaspersky is my personal favourite, especially since it's easy to exclude files/folders on the basis of "if you detect X here, ignore" so I can keep false positives or test samples or anonymail or etc), not Microsoft! From Microsoft I just want the bare OS, at most. The good things about Windows have always been programs that run ontop of it (EAC, Powertab, Nero, games), anything that restricts what can get installed is another reason for me to use something else.
I remember sigs. Oh, a simpler time!
The boys in Redmond own this code, no one else. You don't know what his correspondence with them has been, personally I wouldn't let M$ off without a nice payout, aside from the fact that they will likely patch it on their own or write some software that does the same as lonescu's. What lonescu most likely gets out of this is nothing more than recognition and he deserves it. And tomorrow if you get some malware on your Vista box that simply can't be removed, you know where to get a tool that may help. On that note have you considered the fact that maybe he doesn't fully understand the depth of what he's discovered yet? Maybe releasing now, would be premature, what if his software is also vulnerable to this problem?
As it is, he is displaying a typical 1337 attitude. "Hahaha, I know how to compromise your system, but I am not going to tell you!".This is not true, right now lonescu is a world class security expert on Windows Vista, if he didn't play his cards close to his chest he'd be a damn fool. He is elite, you're not, get over it.
Under the influence of Post-Cyberpunk Gonzo Journalism
Indeed, and the driver simply gets the address of a data structure (using an API call) and flips a bit in it. I suppose this is vague enough to not constitute copyright infringement (but I have the code on my screen right now).
Only it is defective by design, because "protected processes" are supposed to be immune to debugging, for example. Even if the current user has elevated privileges.
Actually, Windows versions as early as 2000 use a whitelist method of "protecting" processes: If the process name matches a hardcoded list, then task manager will refuse to kill it. This is so broken it's ludicrous- simply rename your process to any of the ones on the list, and it becomes unkillable. Programs such as PSkill will kill all processes, regardless of name.
Just trying to hold on to his job by helping out the trojan and virus writers.
Discovering a security hole is elite. Sitting on it and gloating is lame. I guess it's Ok - both you and lonescu will most likely reach the level of maturity required to understand this by your mid-20th. Now, why would I want to be elite in anything related to Vista? That's like being a world class expert on security in prison showers.
Depending on how this is done and how much evidence can be produced, this is illegal behavior.
collusion happens all the time, and thanks to republican sellou.. i mean our fine pro market saviors, their activities are dismissed as "industry standards" and/or "the free market in action", and anyone who comes out calling a spade a spade is immediately plastered as a pinko communist.
examples include rediculously unreasonable eulas, the incorporation of broadcast flag-like rules in the QAM cable standards (leveraging the DMCA to expand their monopoly powers from music to all electronics), and the microsoft's fine new program requiring hollywood approved DRM on any I/O device or program before it's given a logo and a signature.
basically.. until the apathetic and sheepish public stops buying the newspeak of "free market" and "industry standard" the minority of us who have more than 3 brain cells will be screwed rediculously.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
The boys in Redmond [...] will likely patch it on their own
Exactly. The results will be:
- An ever more broken Windows by adding a hack around this exploit
- A frenzy to hunt for more such exploits, since this can is open now
Bill Clinton or Bill Gates, speaking of dicking around? Ballmer, you been under Bill's desk, again?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Great, just fuckin' great... so M attempts to make a MORE SECURE operating system and instead makes a MORE SECURE OPERATING ENVIRONMENT for malware... M, keeping me in business forever...
They are kind of like a perpetual motion machine for Computer Techs...
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
This code is specific to Vista, but it doesn't exploit a Vista vulnerability.
The technique is applicable to any platform and exploits the well understood fact that if you can get a system to run your code at boot time, you can do anything you want with it, assuming you are willing to do the work it takes to do it without triggering wards (e.g. full disk encryption). Alex spent months on this.
I have all the reasons I need to give Vista a pass and wait for the OS Microsoft builds when they come to their senses and go back to a market-driven business model. This isn't one of those reasons.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
ROFLMAO
Sitting on it and gloating is lame. I guess it's Ok - both you and lonescu will most likely reach the level of maturity required to understand this by your mid-20th.This whole post is just flamebait, he can build a very lucrative consulting business out of this, or get hired by a company that will pay him the salary he's worth, I mean for all you know he's working at Kinkos. Besides don't you think this is a little odd considering Vista is shipping with it's own antivirus, almost seems like M$s AV could be guaranteed to work better than anything else. Either way the nature of the bug is beyond our understanding and you or I are really in no place to judge his merit.
Under the influence of Post-Cyberpunk Gonzo Journalism
If you weren't using Microsoft's products you really wouldn't give a rats flippen ass about this. I don't.
Under the influence of Post-Cyberpunk Gonzo Journalism
sorry, that was rude, point is though that in a proprietary world "good net citizenship" is just that. If good net citizenship is not profitable f*ck it, symantec or any other AV co. would be sitting on this getting their panties wet pushing for the cover of Time magazine or front page of WSJ, this kid sits on it for a day and you're ready to lynch him.
Under the influence of Post-Cyberpunk Gonzo Journalism
Well, no, he's not working at Kinkos. His blog has a post about his interviews at Google, Apple AND Microsoft (Microsoft was the only one that disappointed him, although he says the campus visit was awesome, since they give you $75 a day to blow any way you want while you're there for an interview.)
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
People are accustomed to ordering from the menu. It's a rare person who doesn't. The problem here is that the menu is being controlled in market-manipulated ways.
Oh, he wants to work at Microsoft, this just reinforces my idea that he is holding on to this for heightened recognition. Had he released his info on day 1, it would be difficult to tell him apart from every plugger on /. running out to write their own version.
Under the influence of Post-Cyberpunk Gonzo Journalism
This is pure fud because this tool requires administrative privileges and this is possible also in linux using the root account. With linux a malware can replace the whole linux kernel with a single command line!!! Linux is unsafer than Vista
... as every implementation thus far of this kind of walled garden implementation has ended in a single engineer or small group of engineers finding that one critical flaw that busts the entire thing open. Surely, all of these solutions are naive implementations of security through obscurity, which becomes obsolete the moment a sophisticated cracker obtains enough clock cycles to guess enough things about the implementation... i.e., trivial.
Voodoo Girl is the bomb!
Agree with you. If I am the computer _administrator_, I want complete and utter control over what is running on the machine. It's all or nothing.
The vista model of watered-down administrator may make life easier for migrants from Win 9x, but ultimately restricts the functionality for high-end users.
I'd rather they still allowed full, uber-privileged rights to one account - be it administrator or whatever, irrespectve of what additional restrictions MS choose to place on other "administrator" accounts (which are apparently degraded to "power user" accounts these days anyway).
Anyway, as I may have stated previously, Windows 2003 Server for the win.
F_T
Doesnt WOW stand for World of Warcraft...
Liberty freedom are no1, not dicks in suits.
But what's to stop my program from pretending to be a debugger?
Also, what if a process outside of a debugger crashes, and you want to attach the debugger to find out why? Your suggestion completely eliminates this possibility.
:(){
AppArmor does much the same thing as protected processes. It just does it right.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The Linux community hasn't been telling the MPAA and RIAA that they can prevent copyright violations by implementing technical measures like protected mode.
Microsoft wants people to believe that this mechanism can be used to create a secure environment for DRM applications to present protected content without their output being hijacked by the computer's owner (who of course has Administrator access). They have justified many appalling design decisions in Vista by saying they are required to provide this protection... and if it can be bypassed this easily then DRM has become Microsoft's WMDs.
The tool need Admin priveledges to work, and guess what you can do with that? Yes! Anything you like!
The whole fucking point is that you're not supposed to be able to do anything to protected processes no matter how many priveleges you have.
Your total failure to grasp this simple fact is what makes your smug little comment so deliciously humiliating.
Shame on you.
If you had any sense of shame you would never post anything on the Internet again.
Guys, its all very simple. When you realize that fanatic MS users are the same idiots who keep paying taxes, and *helped* Bush into power, you will then understand why all this is happening. You need to face the facts: behind any conjob there is a MJIC (master joo in charge, in this case Gates), and he's just part of the "suck your money and time" scheme to make you into powerless obeying tax-paying sheep that can easily be confused and controlled. Be a man!, install linux, say bye bye to the submentals rowing their dhingy on their way to insanity !.