Slashdot Mirror
Researchers Show How To Take Control of Windows 7
alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)
bwa-ha-haaa! the first hack documented
if this is supposed to be a new economy, how come they still want my old fashioned money?
thats how i take over the story!
:O
Do you mean to tell me that a Microsoft product has a security vulnerability? I simply just cant believe it...
We hear about it all the time, laptops being stolen, left out, all with tons of sensitive data. Combine this with a lot of companies having very poor physical security this could be more than something to just write off.
The musings of just another geek and his junk.
If you got physical access already, it shouldn't be a surprise you can root the box.
If someone has physical control of the machine, all bets are off.
Rule 1 of computers is, if someone has physical access to your machine, it has already been compromised. I always design my security around this fact, and if a machine needs to be secure against attack, it will be physically secure.
It's been a long time.
You need full, physical control of a computer running Windows 7 in order to get software access to it?
Just have the initial virus/exploit write onto a bootable device, like a USB key - and then force a reboot. The user will just think "aww, crap, why'd it just reboot" - and you got em.
This is barely a hack. I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!
If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing? I'm confused about how this is a vulnerability.
-- NeilO
There's a rather important aspect of this that's not discussed - how does this code get onto the computer in the first place to be executed during boot ?
You need physical access to the machine. Cant be done remotely. So nothing new.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
If you give me physical access to a Linux machine, I can have it doing as I please faster than Vista.
This is contrasted with Mac OSX which uses a combination of Gracie-style Brazilian Jiu Jitsu, Hapkido, and oratorical prowess to keep would-be haxors at bay while the police are enroute. Or the Linux lack of social skills which avoids "physical access" altogether.
THL phish sticks
Im as anti-microsoft as the rest of you (at least the intelligent folk), but are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?
I would assume the only way to be immune against this type of attack would be encrypting the system partition, and a "bootkit" as they seem to be calling it that is aware of encryption may even be able to deal with that.
Whats the story here again? That booting into a secondary OS gives you full control of data on an unencrypted hard drive?
Get physical access to computer. Take computer.
...Windows 7 takes control of you!
"The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
if it is a remote exploit that doesn't involve user interaction, I definitely want to hear about it (like homeland security's red=everybody panic)
If it is a remote exploit that requires user interaction, I still want to hear about it (condition=orange)
If it is a local exploit/privilege escalation that doesn't require root, it might be interesting (yellow)
If it is a local exploit that requires root privileges, leave it off the front page.
i have no love of M$, but come on. if you have physcal access to a computer and at boot time no less you can do what ever the #@!! you want.
if this is the biggest flaw redmond has in W7, that's not so bad.
Till i saw "physical access." if someone is _that_ determined to compromise a machine they will walk off with the HDD.
I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!
Intersting idea. While the current version requires physical access, it doesn't strike me that one would need all that much to make it work via remote with a trojan or similar.
Basically, it's a revisit of the boot-sector virus of old, which will prove to be an issue for just about any OS, most likely.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
What I find interesting is the people who are trumpeting this as a horrible security vulnerability, despite needing physical access to the machine, are likely to be the same ones who discounted the Intel cache overflow exploit being easier to execute on Linux than other systems, but you need to run as root on Linux as "If someone has root, it's your fault anyways." So what makes this one more egregious in their eyes? You can run root over a network. That seems worse than needing physical access to the machine, imo. It just goes to show, no OS is completely safe, no matter what, and user education is the key. Not security through obscurity.
Canada: The US's more awesome sibling.
The problem goes even deeper. The bios is insecure. You can put bootable media in it and access your drives. They really should start epoxy potting the whole machine with a harddrive with windows preinstalled and no longer allowing any other bootable media.
The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot. The attacker loads an app from a CD-ROM which then itself executes the normal Windows boot process while agressively patching software in memory. This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.
No kidding!!! What do you say at this point?
While uninteresting for worms, this is probably a nice way for pirates to hack Windows 7..
I'm not sure if they have cracked it already or not, since I'm still on XP.
Poor priorities, hear yo[u. Also, if 4osts on Usenet are
"What I find interesting is the people who are trumpeting this as a horrible security vulnerability"
Where did you read that, from a quick browse most/all of them mention physical access. Where are all these nay-sayer comments?
"are likely to be the same ones who discounted the Intel cache overflow exploit being easier to execute on Linux than other systems"
That's what's knows as a straw man argument. As in making up imagionary quotes on another thread and addressing them instead of the current subject, which is researchers demo proof-of-concept code to take control of a Windows 7 virtual machine while it was booting up.
davecb5620@gmail.com
'There's no fix for this. It cannot be fixed. It's a design problem,
There is always a fix. Every vulnerability is a "design problem". Sometimes the code to fix it is a separate app (e.g. firewall, virus protection), and sometimes it requires modification to the code. There is always a fix in software - it's just a matter of making it.
This guy stating there is no fix, it can't be fixed is making statements about as dumb as those who say their favorite OS (e.g. OS X) is immune from any virus/worms/hacks.
I do not support "The Man". I also do not support your irrational stupidity
If you have to be present to perform the hack, then you could always just hit the PC repeatedly with a hammer if for some reason it doesn't work.
At first glance at the thread title, my first thought was pop a Linux CD into the drive and reboot
Voila no more Win7
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
But who would want to take control of a computer with windows 7 on it? It is like hijacking a garbage scow.
Even if they do checksum/hash memory constantly, it doesn't make a damn bit of difference. If you can patch memory, you can patch the code to remove checks. In fact, the Vista/7 bootloader does not only checksums but signature checks.
"The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"
'The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'
I thought BitLocker was supposed to defend against such exploits if the boot sequence was altered?
davecb5620@gmail.com
This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.
Even that wouldn't matter, because the first thing I'd in-memory patch is the checksum algorithm to always return 'ok'.
The only real way to resolve this would be a-la console style 'trusted computing, and digital signatures through the whole bios and bootstrap process'. Of course, even this could be 'hacked' or 'modchipped' but at least it wouldn't be as simple as just putting in a disk.
There is no security if they have enough physical access.
...someone has physical access to my computer shouldn't mean they have access to the data stored on that computer. This is NOT acceptable. Users need to adjust their expectations and DEMAND better security. Tired of this BS, "If someone has physical access..."
Computer thefts are not rare occurrence to say it is acceptable if someone already has computer they might as well have the data!
I thought that was part of the bitlocker boot process, that the unencrypted boot files have their checksums stored in the tpm
Because you are a Microsoft hating troll
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
... the reason you are posting this article is to spread anti-microsoft hate and FUD for no reason.
Why not post:
With a gentoo install CD you can gain control of any linux system by overwriting key /etc/ files to give yourself root access unless you use encrypted drives...
More useless propaganda from an MS-hater. I mean seriously, this is news? Next thing you'll post is the Windows 7 has a horrible exploit that crashes it every time you shoot the PC with a shot gun.
Don't we have a NO FUD policy for articles?
"Everyone is entitled to be stupid, but some abuse the privilege", as a result of this abuse, your Stupid License has been suspended for 60 days.
-=[ Who Is John Galt? ]=-
Please explain in detail how one would make this work without physical access to the box.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Reminds me of the Shatter attack, which was also "unfixable" until Vista fixed it.
But unlike the Shatter attack, we don't even have to wait for a fix. Just turn on Bitlocker. There, fixed that unfixable problem for ya. With a security feature already present in the OS. Kinda makes you wonder what their definition of "unfixable" is...
Jeeze, hyperbole much?
Hmmm didn't ubuntu 9.04 beat windows pants down ??
Chris ,
Php Programmers.
The remote access and priviledge level exploits are only possible after VBootkit has been patched into memory. Bitlocker protects against patching the OS on the disk but I don't think it offers any protection against changing the OS contents, beyond the "user input" requirement for boot (either a PIN or a physical device, which this software may or may not be able to bypass).
No kidding!!! What do you say at this point?
Oh my god, windows can be hacked! With physical access! THIS IS HUGE! WINDOWS SUCKS MICROFOSFT IS TEH DEVAL OOH NOES!!1!one
Linux... Mac OS, Windows, ANYTHING... can be hacked with physical access. Period. If you have the time and the access there is no security beyond encryption and even that can eventually be defeated. This seems like just another lame "bash microsoft" post. Yeah you hate them, sure we know it. Get over it. They didn't become one of the largest software providers on earth by use of magic and lolly pops (though it did take a few suckers here and there).
The worst part is that its a bunch of security researchers that blew time on this bullshit and then in the end said "but don't worry it doesn't matter." Then why the fuck did you bother with it? Congratulations for proving what the whole fucking security industry already knew captain obvious! Whats next, going to tell us that wireless routers have a physical switch vulnerability when the default password is used? Do us all a favor and fly out that window and save the world buddy.
The standard method of securing the data on your machine, which is what's important, is to encrypt it. So even if someone rips open the box, takes out the disk and puts it in another machine, the data should be safe, assuming the encryption algorithm and the user authentication processes are secure.
However, if this exploit allows them access to the operating system on the disk, and allows them to subvert the user authentication process to grant themselves access to a user's account, then the data is compromised.
So this exploit may have an application, not as an attack vector for writing a propagating worm or virus, but as a means to gain access to otherwise secure data.
"The dew has clearly fallen with a particularly sickening thud this morning"
I overlooked it, it's explained well below.
No kidding!!! What do you say at this point?
Everyone talking about this being irrelevant is missing the point. This attack does not make users significantly more vulnerable. Instead, it makes Windows more vulnerable to users.
Hacking your own machine sounds laughable. But as long as vendors restrict usage, we need to keep reminding them that DRM is a fool's quest.
If that's so then I imagine it would be a protection from this, assuming Windows is assiduous about checking those files' checksums. It's implied in the article that it is not, but I'm not sure if the exploit was tested against a system with a TPM.
No kidding!!! What do you say at this point?
So these guys came up with a bootloader that screws with its child process (the OS), and they're calling that an exploit ? I guess "grub" would be considered an exploit too, by their chicken-little standards.
These two Kumar clowns are really just shills for Trusted Computing, fear-mongering in exchange for a little kickback from the related fascist orgs.
-Billco, Fnarg.com
This article is nonsense.
Yes, why? Makes me wonder why I'm reading this :(
No one will want or remember how to hack this old one...
I'll be safe in my cubie now.
Maybe someone can shed some more light on this, but I'd imagine this could be used to insert your own kernel-mode code, without the kernel detecting it. So how hard would it be to patch ati's driver to dump every frame to the hard drive, without any of their shit detecting you (since you already own kernel mode). You'd be able to dump the video off bluray/wmv easily (although you would just have video, none of the extra features/java menus). I'd imagine that ati's driver isn't obfuscated. The path between user space (Win dvd) and the kernel is obfuscated, and the path between kernel mode/ram and the pci card/pci bus is encrypted, but at some point in the kernel its going to be decrypted and easily accessible. Anyone able to share their thoughts on this?
Would someone really so smart please take proper control of Windows 7's development?
That would be of greatest help!
Actually, I read the summary over and over, and I didn't see anything about linux or unix. I read again, and didn't see any microsoft bashing, either.
What makes you think someone made a claim about linux or unix, or that someone bashed microsoft? You might as well say, "I'm as anti-octopus as the rest of you, but are you all seriously claiming Jupiter orbits Venus?" and it wouldn't be any less of a nonsequiter.
Given that this appears to be loaded via internal optical drive, I'm not completely understanding why this is such a threat. Discounting the fact mentioned by many others that if you're physically compromised you're already hosed (they can pull the hard drive, etc.), all BIOS renditions I've ever seen allow you to select which device the machine first uses to boot. So, set it to your hard drive. Machine boots from hard drive, doesn't boot from bad CD/DVD. Password protecting your BIOS access (which many, if not most, offer) prevents malicious user from setting the machine back to CD/DVD boot. Some BIOS flavors allow you to turn off CD/DVD boot all together, even.
End of "problem".
I mean really-- This is so simple I fear I must be missing something about this story... ?
" the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected."
So this is basically great if you want to break into your girlfriends laptop to check her email?
Can someone knowledgeable explain why this is news?
1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765
Relax Luther, it's much worse than you think. The only certified technician has to pass a series of security scans. First one is voice activated. Then, he has to put in a 6 digit code. That only gets him into the outer room. In order to get in the vault, he first has to pass a retina scan. Then, the door will unlock by only by two electronic keycards, which we won't have. In the vault, there are three security sensors that will activate at anytime the technician is out of the room. First is voice sensitive, anything above a whisper, will set it off. The second one senses the temperature even the body heat of an unauthorized person in the room can set it off if the temperature rises by a single degree. The temperature is controlled by an air duct system 30 feet above the floor. The vent is guarded by a laser net. The third one is on the floor, and it's pressure sensitive. Just the slightest increase in weight will set it off. If any of these 3 sensors are set off will trigger an automatic lockdown. Let me tell you, gentlemen, that all three systems, are state of the art.
you posted it because you were pissed about the Intel CPU hack for Linux that allows one to compromise ALL virtual machines on that server.
I would say, if you have physical access to my VM's host and you can't "hack" a rootkit into a VM, that you sir, suck.
Or the attacker just needs to distribute a warez copy of Windows 7 with the exploit code slipstreamed... Oh the irony!
How did a boot-sector virus work?
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
If someone has physical control of the machine, all bets are off.
Ah, apparently you've never heard of Phil Zimmerman or have ever seen a James Bond movie, have you?
Point here is there is quite a bit that has and can be done even at the physical layer. Drive Encryption (PGP) is but one option, and given the track record of PGP, I'd say a pretty damn good one. TrueCrypt is a great free alternative too.
And I for one am glad this was posted. Just helps enlighten everyone on the importance of good security practice regardless of how shiny and new the OS is.
There are no foolproof Operating Systems out there, just fools who think there are.
...it's called a "locked room" with "security cameras". Deny physical access = deny vbookit 2.0. "Design problem" solved.
No. It CAN'T be done remotely, as is mentioned below the exploit is done by patching startup files in RAM as the machine boots.
There is no way to do this other than through a boot-CD... (or some other type of boot-able physically attached storage medium)
This should allow bypassing *some* of the Windows7 DRM features since it seems to be a way around part of the "trusted computing chain".
Your 'i' key is broken. ;-)
If "Step 1" of your method of taking control of someone else's computer is "Gain physical access to the hardware," there's no reason for you to even talk about it.
With physical access to any standard desktop machine, you can easily get into Windows, Linux, or Mac OS. This comes in very handy with an IT environment where there is no central authentication server of sorts, or when people bring PC's to your computer shop with forgotten passwords. I'm not sure about Mac OS, but for Windows or Linux, if you don't want their password changed... just back up the file before you change it, then copy it back when you're done. Encrypted hard drives is a different ballpark though... never messed with those.
If you are able to gain access to the iLO card on an HP server that is remote... one can mount ISOs and remote console etc. Don't need to be in front of the machine at all.
Don't install it.
Geeze these guys really are on the mainstream conference ciruit
This is a rather stupid article. You can boot ANY computer with a Linux live CD and take control of someones computer and/or access unencrypted files/folders. Fail..
Comment removed based on user account deletion
Sounds like the attack could be used to subvert just about any operating system if it can modify files as the OS is booting.
try leaving a bootable cd in a bitlockered system. vista wont boot with it in the drive. bitlocker is pretty tough
Thank you. That saved me reading the article. Nowadays, when in a hurry, I read Slashdot comments backwards :) Saves me reading the initial thread (which always becomes too long) and the funny comments.
If I have the machine in my hands I can do worse things than corrupt the boot process. I can take the damn hard drive out and do whatever the hell I want with it. Not much of a hack.
They are spread through ... wait for it ... the use of infected removable media which requires physical access to the machine.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
I used to hack Linux boxes thanks to a flaw in Lilo back in the day. You could locally get root with a 1 line command through the bootloader. It freaked the hell out of this one CS professor I had...good times.
nt
I can think of several ways around the PoC's physical-access requirement. If the boot loader can be modified by malware, then the malware can drop the neccesary code into the boot loader and force a reboot of the machine. If the BIOS is in flash and can be modified, then malware can re-flash the BIOS to include the neccesary code. And I'm remembering an old BIOS soft-boot option that did not clear RAM before rebooting, leaving a way for malware to leave parts of itself in memory across a reboot. I'm not too worried about anything that requires physical access, but this thing looks like it could be extended to not require physical access as long as there's another vector available to bootstrap the infection through.
I'd note that it's not just Windows 7 that's vulnerable to this, any OS is theoretically vulnerable to in-memory patching during the boot process. But OSes other than Windows have far fewer other vectors available to bootstrap the initial infection through, so would be harder to attack this way.
One could still seem some uses for this. For example consider some bios based infection. While it theoretically could do a lot of harm, in practice it is going to be really hard to implement a lot of things from the bios. So why not infect the OS itself on every boot? In principle no new capabilities in theory, but it might still be a really convenient vector for an attack.
One might also use this to hack systems that one nominally has physcial access to but no actual control. For example if some future Xbox 420 is running a windows 7 kernel, maybe you could use this as a way to bust in to the locked down device in a generic way.
Some drink at the fountain of knowledge. Others just gargle.
Because you are troll hating Microsoft
"The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"
'The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'
I thought BitLocker was supposed to defend against such exploits if the boot sequence was altered?
BitLocker plus TPM plus PIN should stop this attack as the system takes "measurements" (SHA hashes) of each boot component before it runs it starting from the BIOS. These measurements are passed to the TPM which releases the disk encryption keys if all measurements are correct out. If someone modifies a boot file then the boot fails.
Remotely control the machine once the rootkit is in place, yes, but it can't remotely install itself. The process requires booting off of a CD to modify the contents of the RAM while the OS is booting. So, if you disable booting from CD in the BIOS and require a supervisor password, then problem solved.
If some idiot runs an executable for you, you might as well have physical access to the machine.
Call me when it gets OVER 9000 Mhz
From an interview with authors:
http://www.securityfocus.com/columnists/442/2
"How can an attacker deploy it?
Nitin & Vipin: An attacker doesn't need to install, that's the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting. After Vista boots, you can verify that you are running vbootkit, by checking the privilege of any running cmd.exe, the sample converts all low-privileged cmd.exe process to SYSTEM privileges. It also supports system compromise via PXE booting.
It doesn't need any privileges only physical access to the machine. It can also be installed to a remote system under some conditions (without physical access)."
I like to use a mouse.
I haven't had to look into how to do so in Vista yet.
by mjm1231 (751545) Alter Relationship on Thursday April 23, @03:28PM (#27692705) I know that replacing the SAM file under %windir%\system32\config with a SAM that has no password assigned is a way to blow by the password security in Windows NT variants. SysInternals NT locksmith (or their graphical bootup recovery disk) pretty much do the same thing but make it simpler in that you don't need a bootable Linux or DOS Operating System to do it from (which also means they would need an ntfs filesystem read/write capable driver also in order to do so). Hope I am correct on this, as it has been years since I read of and tried some of these things.
See subject line & this url http://it.slashdot.org/comments.pl?sid=1198841&cid=27622135 because as you can see at that url? He is just a noob that operates only on the surface of things, but has little to no understanding of what is really going on in Windows (or any other Operating System).