Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATI Driver Flaw Exposes Vista Kernel to Attackers

Posted by CowboyNeal on from the sneaking-in dept.

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

22 of 248 comments (clear)

  1. trusted computing by Anonymous Coward · · Score: 3, Insightful

    ok...
    so windows vista trusts ATI.
    ATI trusts themselves.
    I don't trust no one, especially closed-source drivers from ATI.

    shouldn't they simply replace their "fglrx" with "ati", in their xorg.conf?

  2. So I read it right? by Wooky_linuxer · · Score: 4, Funny

    Vista has an anti-DRM mechanism built-in? Wow, and I thought Linux stood for free sofware... way to go Redmond!

    --
    Where is that guy who'd die defending what I had to say when I need him?
  3. That's why microkernels are useful by Anonymous Coward · · Score: 3, Interesting

    if each driver had its own separate space, this flaw wouldn't affect the rest of the system.

    1. Re:That's why microkernels are useful by A+non-mouse+Coward · · Score: 4, Interesting

      Mod Parent Up.

      Even Microsoft Research is looking into making microkernel operating systems with their Singularity project.

      Of course, the Minix 3 Project has been doing this for awhile, supposedly even having a fully POSIX compliant product at this point.

      The major design factor of Microkernels is that it's bad practice to have a trusted path from any driver or system service in kernelspace to any other driver or system service in kernelspace. Just because you're "in" doesn't mean that anything else that's "in" should trust you.

      The largest hurdle microkernels have to overcome, however, is the problem of DMA. As long as a malicious ATI video card (nevermind the driver) has direct access to all memory locations via DMA, it could easily just patch the driver's memory at runtime every time via hardware. That's why microkernel development is going to have to go hand-in-hand with tools like IOMMU, for controlling access to critical areas of memory.

      Of course, critics often complain about Inter-process Communication (IPC) as being another limitation to microkernels, but at this point, it's really just an implementation hurdle as there are several ways to get processes that are in different memory spaces to communicate with high performance, especially as Moore's Law brings CPUs faster and faster.

      --
      libertarian: (n) socially liberal, financially conservative; neither left, nor right.
  4. Rules of the Road by mfh · · Score: 4, Interesting

    When hardware drivers are responsible for system integrity, all hope of safety is permanently lost. Introducing the new battleground for virus writers... fake patches:

    YOUR VIDEO CARD NEEDS NEW DRIVERS: CLICK NEXT!!!!!

    --
    The dangers of knowledge trigger emotional distress in human beings.
  5. Ah, you kids have it easy... by Glowing+Fish · · Score: 4, Insightful

    The fact that people are actually going to the lengths of breaking into Windows by using a legitimate driver with kernel access to load in rootkits...the fact that it even requires explaining, means that Windows has reached some type of real security. I mean, with Windows 98, you would just hit enter on the login dialog box, and there you were!

    --
    Hopefully I didn't put any [] around my words.
  6. ATI will patch this by Dekortage · · Score: 4, Insightful

    Seems like the real concern is not that ATI's code opens a security hole. You know ATI will patch it. A more important question is, how many other securely-signed drivers, etc., have similar holes? How many drivers are there in a typical Windows Vista system, anyway?

    At least Microsoft can say (with some truth) that it's not THEIR software which introduces the problem! (it actually is, of course, but not directly)

    --
    $nice = $webHosting + $domainNames + $sslCerts
  7. Re:Bug or feature? by mugenjou · · Score: 3, Insightful

    I guess it's a feature to the bad guys. To everyone else, it's a bug. I guess it's a bug to Microsoft and the content industries. To everyone else, it's a feature.
    --
    DualBrain - Level Up Your Brain! - now available on your iPhone!
  8. Re:Kernel Type by TheRaven64 · · Score: 4, Informative

    Depends. A video driver needs to be able to DMA data to and from the card. Even if it's in an isolated address space, a compromised driver can write all over physical memory by telling the card to. If you have an IOMMU then this can be alleviated somewhat. Some kernel component outside the driver could provide DMA apertures in the correct places, and if it did correct validation of the driver's requests (i.e. not let it open windows anywhere into memory except where it is owned by a process using the driver) then it would be possible for a microkernel to be safe from this kind of thing.

    --
    I am TheRaven on Soylent News
  9. Re:Let's blame Microsoft by bl8n8r · · Score: 4, Funny

    Very quickly.

    You must be new here, so I'll try and enlighten you.

    You see, Microsoft is a lot like the smelly kid in 3rd grade that
    used to drop a load in his shorts and not say anything while
    everyone wandered around trying to figure out what died, where.

    After a few of these episodes, whenever there was a strange smell,
    it would come to pass that the smelly kid dropped another load.

    Now, to make matters worse for the smelly kid, imagine him running
    around telling everyone that he has solved the problem*. People are
    relieved for a while until, guess what? The smelly kid drops another
    load. How can this happen, isn't this supposed to be fixed?

    This insane cycle of disappointment/re-assurance causes people to
    get cynical very quickly and as a result, causes people to start complaining
    very quickly.

    [*] - http://news.com.com/Allchin+Buy+Vista+for+the+secu rity/2100-1012_3-6032344.html

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
  10. Re:Kernel Type by drawfour · · Score: 4, Informative
    You may have missed the part in the article where the kernel *knows* it's running unsigned binaries, and thus turns off the DRM stuff. So there is no way to strip out the DRM, since that capability will be turned off when the system detects it's running unsigned binaries.

    From the article:

    Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded. This also means that PMP will become aware that the driver is loaded, and disable high-definition media playback. This means that this tool will not help you bypass DRM in any way, because the original Vista protection mechanisms are still in place. Note that on Vista 32-bit, this behavior already exists by default in the OS, so it is not a "bug" of Purple Pill.
  11. Re:Let's blame Microsoft by drawfour · · Score: 4, Informative
    You do realize that the kernel does not do any signing, that's Verisign's job, right? The kernel only verifies that the signature is valid (and trusted). All this hack is doing is causing the kernel to turn off the part where it refuses to load an unsigned driver.

    From the article:

    Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded.
  12. Comforting, in a way... by an.echte.trilingue · · Score: 4, Funny

    For my part, I'm not going to play the blame game since I don't know better either way. I am, however, in some strange way comforted to see that Windows users are starting to have issues with ATI drivers, too.

    All those years of trying to get fglrx to work, avenged!

    So, is that what you call passive aggression?

    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  13. Re:lol wut by fuzzix · · Score: 4, Interesting

    We need to strip ATi of its driver team, and then strip nVidia of their hardware team, and merge the remainder.

    What does it matter? Neither of them bother with proper overlay any more.

    My last nVidia card was simply without overlay hardware. My last ATi card's overlay dropped resolution when a high refresh rate was used. At least the nVidia card could play a video at full res without resorting to GL.

    It's not all about the 3D... :)

    You do have a point about the drivers, though. While closed, nVidia's Linux module hasn't provided nearly as much heartache as ATi's... abomination.
  14. Re:Let's blame Microsoft by morgan_greywolf · · Score: 5, Insightful

    (BTW--I've been using Linux as my primary OS since 1996, so no I'm not Linux bashing)

    Well, one thing to consider is this -- how different are other OSes like Linux? With Linux, a root exploit in a kernel module gains you access to the whole system as well, especially when you consider that it uses a monolithic kernel. IOW, kernel modules directly patch the Linux kernel, live, in memory. Now consider that the ATI drivers for Linux are based at least in part on the ATI drivers for Windows.

    Mind you that some things like SELinux might help to mitigate some of this in some scenarios, but not in all.

    --
    My blog
  15. It will not work. Ever. by Opportunist · · Score: 4, Insightful

    Actually I'm amazed it took almost a year. I would've betted my annual income that something like this would surface before May.

    Let's take a look at the inner workings of the system. Yes, MS has full access to the source code, so their drivers will probably not leak. They also have no "real" competition on the OS market (yes, there's Linux, there's MacOS, but what company would switch?). They can take their time to proof and perfect their drivers until you can be certain that they don't leak.

    Do third party vendors have the source? No. Do they have tight schedules and competition breathing down their neck? You bet. Will they prefer performance or security? Well, what of those two is tested on pages like THG?

    Worse yet, what if such a driver actually allows a user to "crack open" his system and use it as he pleases? Could you see people buy a cheap ATI card just for the purpose of disabling the DRM? I mean, there have been really, really crappy games for some consoles that sold surprisingly well, because they contained a bug that allowed disabling certain security measures. Save-game exploits were quite popular for a while.

    Could you see that this "security" bug could actually be a selling argument FOR the hardware rather than against it?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. Re:Let's blame Microsoft by Tim+C · · Score: 5, Insightful

    Each of those probably stands a 50-50 chance of being either rooted or patched with the new key the first time it's connected to the 'net.

    It's a local exploit.

    did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?

    Third parties write crap, exploitable code and it's MS's fault? You can write exploitable kernel modules for Linux as well, yet somehow I don't think you'd be blaming that on Linus. If anything, this is an argument for open source drivers, not against MS's scheme - although how many people actually have the skill to audit the code they run, let alone auditing it?

    did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence

    Every Vista install that uses the exploitable driver, you mean. Just as an exploitable driver for Linux would open every Linux install that uses that driver. For example, I have an NVidia card; as and when I upgrade to Vista, I won't be vulnerable to this particular exploit.

    Try to tone the hyperbole down a little, it's not very becoming.

    --
    It's official. Most of you are morons.
  17. My understanding was that video runs in ring 3 by NullProg · · Score: 3, Interesting

    Oops, I guess not....

    Because WPF is largely written in managed code on the common language runtime, it never ran in kernel mode. There are elements of WPF (called the MIL) that are written in unmanaged code, but that code also largely runs (and always has run) in user mode. Insofar as WPF needs to touch kernel mode stuff (e.g., drivers), it interacts with them through the existing DirectX APIs. The user mode and kernel mode aspects of the WPF architecture haven't changed.
    http://arstechnica.com/news.ars/post/20051216-5788 .html

    So what did Microsoft gain with the Vista GDI changes?

    Enjoy,

    --
    It's just the normal noises in here.
  18. purple pill? O.o by Spy+der+Mann · · Score: 3, Funny
    I only knew about the red pill and the blue pill. Hmmmmmmmmmm........

    Morpheus: This is your last chance, Neo. After this, there is no turning back.
    You take the blue pill, the story ends, you awake in your bed and believe whatever you want to believe. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit-hole goes.Remember: all I'm offering is the truth, nothing more.
    Neo: And the purple pill?
    Morpheus: Oh, the purple pill gets you high. I can't guarantee what happens later.
    Neo: I'll take the purple pill. (*gulp*)
    (After a short pause...)
    Whoa, dude, I can see what's behind the mirror! Whoa... everything's like computer code! I understand what the Matrix is now!!
    (Back in the nebuchadnezzar...)
    WE'RE LOSING HIM!
    Neo: I can fly dude!!! Excellent!!!
    Flatline: beeeeeeeeeeeeeeeeeeeeeeeep....

    (Some time later...)
    Trinity: Seriously, Morpheus. This is the 20th time we lose a potential "One" because of the purple pill!
    Morpheus: He wasn't "The One". "The One" would have survived.
    Trinity: Idiot.


    Now, seriously, what's "purple pill"?
  19. Re:Let's blame Microsoft by mhall119 · · Score: 3, Insightful

    Malicious to whom? This systems seems designed more to prevent the installation of kernel-mode drivers that would allow the circumvention of things like DRM. I guess it could stop the installation of rootkits too, but there are other ways to stop them. It's funny (to me at least) that there are things that Windows can stop even an Administrator from doing on their own machine.

    --
    http://www.mhall119.com
  20. Re:Really cleaning up the Internet by Knight2K · · Score: 3, Insightful

    1. It is important to use the correct names for things. The word "terrorist" is subset of "criminal". My working definition of 'terrorist', which can doubtless be improved on, is: one who uses violence to create terror or panic within a populace in order to achieve political ends. Without the political component, a terrorist is simply a criminal guilty of assault, murder, theft, etc. and should be caught and prosecuted accordingly. By using this term incorrectly, you are just as guilty of spreading FUD as the U.S. government. While this may be an effective way to get attention, it is alarmist, unethical, and immoral.

    By expanding the meaning of the term, the government has been able to greatly expand its power at the expense of its citizens. It certainly is important to catch and prosecute cyber-criminals, but discuss it rationally and pass appropriate, targeted laws to deal with the problem. More importantly, enforce the ones that already exist.

    2. In most cases, a non-anonymous network would probably be fine, as long as encryption was used to keep data private. Unfortunately, we live in a world where, in some places, using encryption will get you tossed in jail, regardless of the content. In other words, it can be important to hide not only what you sent, but the fact that you sent it. A concrete example would be blogging in China. Given recent events with the NSA, I wouldn't be surprised if the U.S. government starts to take a more active role in discouraging personal strong encryption. How do we solve that problem?

    3. Guantanamo is one of the worst violations of human rights in recent history. Even the basest criminals are entitled to due process. That's what makes our system justice and not revenge. The United States is NOT the world police. There is a process to be followed to enforce change in other countries. The lack of serious international backing is part of our problem in Iraq. The U.S., despite being the last world superpower, does not have the resources to fight every battle and prosecute every crime that other countries won't deal with.

    You are right that we need effective computer crime laws and effective enforcement of them. The way to do it is to lobby other countries for this and establish treaties with them. Use diplomacy and sanctions where necessary. It isn't impossible; if we can get intellectual property laws perverted across the globe, surely we can expend the effort needed to reach cyber-criminals where ever they choose to hide.

    4. The government is supposed to work for us, but it needs watching. One of the most important lessons of modern history is that we have to be active and mistrustful of government, in order for it to function correctly. The Bay of Pigs was the first warning and the Watergate scandal made this manifest. The Iraq war, NSA wiretapping, and the PATRIOT Act are examples of what happens when we fail to perform our role of government watchdog. I'm not going to trust the government on who the bad guys are. I want the FBI, the CIA, Interpol, etc. to gather evidence and arrest criminals and bring them before the appropriate judicial authority and prove their case before the public.

    You are correct that this is a serious international problem and needs serious international intervention, but it also has to be done right.

    --
    ======
    In X-Windows the client serves YOU!
  21. Re:No shit by mhall119 · · Score: 4, Funny

    It makes me wonder what Microsoft's security qualifications really are for a signed kernel level driver. I believe they use the Verisign security test: If the check clears the bank, the code is secure.
    --
    http://www.mhall119.com