ATI Driver Flaw Exposes Vista Kernel to Attackers

← Back to Stories (view on slashdot.org)

ATI Driver Flaw Exposes Vista Kernel to Attackers

Posted by CowboyNeal on Thursday August 9, 2007 @11:34PM from the sneaking-in dept.

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

3 of 248 comments (clear)

Min score:

Reason:

Sort:

Re:Kernel Type by TheRaven64 · 2007-08-10 00:06 · Score: 4, Informative

Depends. A video driver needs to be able to DMA data to and from the card. Even if it's in an isolated address space, a compromised driver can write all over physical memory by telling the card to. If you have an IOMMU then this can be alleviated somewhat. Some kernel component outside the driver could provide DMA apertures in the correct places, and if it did correct validation of the driver's requests (i.e. not let it open windows anywhere into memory except where it is owned by a process using the driver) then it would be possible for a microkernel to be safe from this kind of thing.

--
I am TheRaven on Soylent News
Re:Kernel Type by drawfour · 2007-08-10 00:12 · Score: 4, Informative

You may have missed the part in the article where the kernel *knows* it's running unsigned binaries, and thus turns off the DRM stuff. So there is no way to strip out the DRM, since that capability will be turned off when the system detects it's running unsigned binaries.

From the article:
Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded. This also means that PMP will become aware that the driver is loaded, and disable high-definition media playback. This means that this tool will not help you bypass DRM in any way, because the original Vista protection mechanisms are still in place. Note that on Vista 32-bit, this behavior already exists by default in the OS, so it is not a "bug" of Purple Pill.
Re:Let's blame Microsoft by drawfour · 2007-08-10 00:17 · Score: 4, Informative

You do realize that the kernel does not do any signing, that's Verisign's job, right? The kernel only verifies that the signature is valid (and trusted). All this hack is doing is causing the kernel to turn off the part where it refuses to load an unsigned driver.

From the article:
Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded.