Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATI Driver Flaw Exposes Vista Kernel to Attackers

Posted by CowboyNeal on from the sneaking-in dept.

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

15 of 248 comments (clear)

  1. So I read it right? by Wooky_linuxer · · Score: 4, Funny

    Vista has an anti-DRM mechanism built-in? Wow, and I thought Linux stood for free sofware... way to go Redmond!

    --
    Where is that guy who'd die defending what I had to say when I need him?
  2. Rules of the Road by mfh · · Score: 4, Interesting

    When hardware drivers are responsible for system integrity, all hope of safety is permanently lost. Introducing the new battleground for virus writers... fake patches:

    YOUR VIDEO CARD NEEDS NEW DRIVERS: CLICK NEXT!!!!!

    --
    The dangers of knowledge trigger emotional distress in human beings.
  3. Ah, you kids have it easy... by Glowing+Fish · · Score: 4, Insightful

    The fact that people are actually going to the lengths of breaking into Windows by using a legitimate driver with kernel access to load in rootkits...the fact that it even requires explaining, means that Windows has reached some type of real security. I mean, with Windows 98, you would just hit enter on the login dialog box, and there you were!

    --
    Hopefully I didn't put any [] around my words.
  4. ATI will patch this by Dekortage · · Score: 4, Insightful

    Seems like the real concern is not that ATI's code opens a security hole. You know ATI will patch it. A more important question is, how many other securely-signed drivers, etc., have similar holes? How many drivers are there in a typical Windows Vista system, anyway?

    At least Microsoft can say (with some truth) that it's not THEIR software which introduces the problem! (it actually is, of course, but not directly)

    --
    $nice = $webHosting + $domainNames + $sslCerts
  5. Re:Kernel Type by TheRaven64 · · Score: 4, Informative

    Depends. A video driver needs to be able to DMA data to and from the card. Even if it's in an isolated address space, a compromised driver can write all over physical memory by telling the card to. If you have an IOMMU then this can be alleviated somewhat. Some kernel component outside the driver could provide DMA apertures in the correct places, and if it did correct validation of the driver's requests (i.e. not let it open windows anywhere into memory except where it is owned by a process using the driver) then it would be possible for a microkernel to be safe from this kind of thing.

    --
    I am TheRaven on Soylent News
  6. Re:Let's blame Microsoft by bl8n8r · · Score: 4, Funny

    Very quickly.

    You must be new here, so I'll try and enlighten you.

    You see, Microsoft is a lot like the smelly kid in 3rd grade that
    used to drop a load in his shorts and not say anything while
    everyone wandered around trying to figure out what died, where.

    After a few of these episodes, whenever there was a strange smell,
    it would come to pass that the smelly kid dropped another load.

    Now, to make matters worse for the smelly kid, imagine him running
    around telling everyone that he has solved the problem*. People are
    relieved for a while until, guess what? The smelly kid drops another
    load. How can this happen, isn't this supposed to be fixed?

    This insane cycle of disappointment/re-assurance causes people to
    get cynical very quickly and as a result, causes people to start complaining
    very quickly.

    [*] - http://news.com.com/Allchin+Buy+Vista+for+the+secu rity/2100-1012_3-6032344.html

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
  7. Re:Kernel Type by drawfour · · Score: 4, Informative
    You may have missed the part in the article where the kernel *knows* it's running unsigned binaries, and thus turns off the DRM stuff. So there is no way to strip out the DRM, since that capability will be turned off when the system detects it's running unsigned binaries.

    From the article:

    Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded. This also means that PMP will become aware that the driver is loaded, and disable high-definition media playback. This means that this tool will not help you bypass DRM in any way, because the original Vista protection mechanisms are still in place. Note that on Vista 32-bit, this behavior already exists by default in the OS, so it is not a "bug" of Purple Pill.
  8. Re:Let's blame Microsoft by drawfour · · Score: 4, Informative
    You do realize that the kernel does not do any signing, that's Verisign's job, right? The kernel only verifies that the signature is valid (and trusted). All this hack is doing is causing the kernel to turn off the part where it refuses to load an unsigned driver.

    From the article:

    Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded.
  9. Comforting, in a way... by an.echte.trilingue · · Score: 4, Funny

    For my part, I'm not going to play the blame game since I don't know better either way. I am, however, in some strange way comforted to see that Windows users are starting to have issues with ATI drivers, too.

    All those years of trying to get fglrx to work, avenged!

    So, is that what you call passive aggression?

    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  10. Re:lol wut by fuzzix · · Score: 4, Interesting

    We need to strip ATi of its driver team, and then strip nVidia of their hardware team, and merge the remainder.

    What does it matter? Neither of them bother with proper overlay any more.

    My last nVidia card was simply without overlay hardware. My last ATi card's overlay dropped resolution when a high refresh rate was used. At least the nVidia card could play a video at full res without resorting to GL.

    It's not all about the 3D... :)

    You do have a point about the drivers, though. While closed, nVidia's Linux module hasn't provided nearly as much heartache as ATi's... abomination.
  11. Re:Let's blame Microsoft by morgan_greywolf · · Score: 5, Insightful

    (BTW--I've been using Linux as my primary OS since 1996, so no I'm not Linux bashing)

    Well, one thing to consider is this -- how different are other OSes like Linux? With Linux, a root exploit in a kernel module gains you access to the whole system as well, especially when you consider that it uses a monolithic kernel. IOW, kernel modules directly patch the Linux kernel, live, in memory. Now consider that the ATI drivers for Linux are based at least in part on the ATI drivers for Windows.

    Mind you that some things like SELinux might help to mitigate some of this in some scenarios, but not in all.

    --
    My blog
  12. It will not work. Ever. by Opportunist · · Score: 4, Insightful

    Actually I'm amazed it took almost a year. I would've betted my annual income that something like this would surface before May.

    Let's take a look at the inner workings of the system. Yes, MS has full access to the source code, so their drivers will probably not leak. They also have no "real" competition on the OS market (yes, there's Linux, there's MacOS, but what company would switch?). They can take their time to proof and perfect their drivers until you can be certain that they don't leak.

    Do third party vendors have the source? No. Do they have tight schedules and competition breathing down their neck? You bet. Will they prefer performance or security? Well, what of those two is tested on pages like THG?

    Worse yet, what if such a driver actually allows a user to "crack open" his system and use it as he pleases? Could you see people buy a cheap ATI card just for the purpose of disabling the DRM? I mean, there have been really, really crappy games for some consoles that sold surprisingly well, because they contained a bug that allowed disabling certain security measures. Save-game exploits were quite popular for a while.

    Could you see that this "security" bug could actually be a selling argument FOR the hardware rather than against it?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Re:Let's blame Microsoft by Tim+C · · Score: 5, Insightful

    Each of those probably stands a 50-50 chance of being either rooted or patched with the new key the first time it's connected to the 'net.

    It's a local exploit.

    did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?

    Third parties write crap, exploitable code and it's MS's fault? You can write exploitable kernel modules for Linux as well, yet somehow I don't think you'd be blaming that on Linus. If anything, this is an argument for open source drivers, not against MS's scheme - although how many people actually have the skill to audit the code they run, let alone auditing it?

    did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence

    Every Vista install that uses the exploitable driver, you mean. Just as an exploitable driver for Linux would open every Linux install that uses that driver. For example, I have an NVidia card; as and when I upgrade to Vista, I won't be vulnerable to this particular exploit.

    Try to tone the hyperbole down a little, it's not very becoming.

    --
    It's official. Most of you are morons.
  14. Re:No shit by mhall119 · · Score: 4, Funny

    It makes me wonder what Microsoft's security qualifications really are for a signed kernel level driver. I believe they use the Verisign security test: If the check clears the bank, the code is secure.
    --
    http://www.mhall119.com
  15. Re:That's why microkernels are useful by A+non-mouse+Coward · · Score: 4, Interesting

    Mod Parent Up.

    Even Microsoft Research is looking into making microkernel operating systems with their Singularity project.

    Of course, the Minix 3 Project has been doing this for awhile, supposedly even having a fully POSIX compliant product at this point.

    The major design factor of Microkernels is that it's bad practice to have a trusted path from any driver or system service in kernelspace to any other driver or system service in kernelspace. Just because you're "in" doesn't mean that anything else that's "in" should trust you.

    The largest hurdle microkernels have to overcome, however, is the problem of DMA. As long as a malicious ATI video card (nevermind the driver) has direct access to all memory locations via DMA, it could easily just patch the driver's memory at runtime every time via hardware. That's why microkernel development is going to have to go hand-in-hand with tools like IOMMU, for controlling access to critical areas of memory.

    Of course, critics often complain about Inter-process Communication (IPC) as being another limitation to microkernels, but at this point, it's really just an implementation hurdle as there are several ways to get processes that are in different memory spaces to communicate with high performance, especially as Moore's Law brings CPUs faster and faster.

    --
    libertarian: (n) socially liberal, financially conservative; neither left, nor right.