Researchers Show How To Take Control of Windows 7

alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)

Re:Critical information missing

[amliebsch]

Another important piece of missing information: was BitLocker turned on? Did this defeat the full-disk encryption? THAT would be a story. Otherwise, BFD.

Re:Physical Security is a big issue

[Lovedumplingx]

I was thinking that same thing.

Sure it's not really much of a problem for the home user but for the businessman/government worker who travels and leaves his laptop or has it stolen this means that the data on that machine will be compromised.

Re:Yes, why post this?

[MyDixieWrecked]

In today's Virtual world, physical access to the machine doesn't mean meatspace access. My company and several of my friend's companies are looking into virtualized desktops by using small desktop boxes and low-end PCs to connect to PCs in the datacenter over either RDP or other proprietary protocols.

With the proliferation of cloud-based applications, it's only a matter of time before someone offers a browser-based virtual desktop in the cloud. Once someone hacks into some server up there, they have physical access to the machines for all intents and purposes.

This is a very interesting threat from a virtual infrastructure security standpoint.

Re:Attack requires editing RAM contents during boo

[rs232]

"The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"

'The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'

I thought BitLocker was supposed to defend against such exploits if the boot sequence was altered?

Not necessarily

[SpooForBrains]

The standard method of securing the data on your machine, which is what's important, is to encrypt it. So even if someone rips open the box, takes out the disk and puts it in another machine, the data should be safe, assuming the encryption algorithm and the user authentication processes are secure.

However, if this exploit allows them access to the operating system on the disk, and allows them to subvert the user authentication process to grant themselves access to a user's account, then the data is compromised.

So this exploit may have an application, not as an attack vector for writing a propagating worm or virus, but as a means to gain access to otherwise secure data.

Re:Physical Security is a big issue

[seanellis]

Given your mention of encryption-cracking clusters, I would be remiss not to post this XKCD comic in response.

Missing the point folks...

[minsk]

Everyone talking about this being irrelevant is missing the point. This attack does not make users significantly more vulnerable. Instead, it makes Windows more vulnerable to users.

Hacking your own machine sounds laughable. But as long as vendors restrict usage, we need to keep reminding them that DRM is a fool's quest.

Re:Boot from Live CD?

[rantingkitten]

I don't think their point was really about being able to control a machine to which you have physical access, because as you pointed out there are any number of ways to do that, on any operating system. But this is a little different -- you're not bypassing the OS somehow (as you would with a live CD, bootable USB, or whatever). Here, you're actually accessing boot files, which you shouldn't be able to do, and exploiting that. Also, they're pointing out that Microsoft makes idiotic assumptions -- like the one where the boot process itself is immune to attack. It's a dangerous and stupid assumption to make, and because of that, it looks like it was easy to take advantage of.

Anyone have a writeup of the actual exploit? I checked nvlabs and the hackinthebox conference site and didn't see anything.

Re:Boot from Live CD?

If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing?

No, because the HD could be encrypted and if you want to steal the data you have to decrypt it first. With this method you don't need to decrypt anything.

Re:Physical Security is a big issue

[afidel]

The only way to inject code during boot if you are using bitlocker would be to use a DMA controller to do the injection. Firewire ports are one of the few devices commonly found in a PC with a DMA controller that can be used in this manner.

Re:Physical access = root

[blackest_k]

The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

funny how this kind of thing comes up at an appropriate moment ubuntu 9.04 on a fresh install asks do you want to encrypt your home directory and it will be seamlessly decrypted when you use it.

I thought about this, then decided against it, the risk of losing everything due to having it in an encrypted home folder out weighs the risk of my data being readable by someone having physical access to the machine. on the other hand having everything easily readable also doesn't appeal either so I compromised and decided to use ubuntu's built in encryption for files to protect the important but replaceable stuff.

Re:Physical Security is a big issue

[imemyself]

If you're using full disk encryption with BitLocker or TrueCrypt or something then I doubt this would be effective. With both BitLocker and TrueCrypt, the only things that can be loaded without decrypting the drive is the bootloader/BitLocker/TrueCrypt software that prompts for the password or key. Unless someone has found a vulnerability in the actual encryption software that's used, I don't think it would be vulnerable in that way.