Researchers Show How To Take Control of Windows 7

alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)

Physical Security is a big issue

[mc1138]

We hear about it all the time, laptops being stolen, left out, all with tons of sensitive data. Combine this with a lot of companies having very poor physical security this could be more than something to just write off.

Re:Physical Security is a big issue

[xmarkd400x]

Your "problem" has already been solved. Encrypt the hard drive. Companies don't care about losing sensitive data other than the monetary and reputation loss. If you lose a hard drive with private info on it, you only have to report a "breach" if it's encrypted.

Somebody with physical access can just use a boot CD and do what they want anyways.

Re:Physical Security is a big issue

[Lovedumplingx]

I was thinking that same thing.

Sure it's not really much of a problem for the home user but for the businessman/government worker who travels and leaves his laptop or has it stolen this means that the data on that machine will be compromised.

Re:Physical Security is a big issue

[seanellis]

Given your mention of encryption-cracking clusters, I would be remiss not to post this XKCD comic in response.

Re:Physical Security is a big issue

[mhall119]

Even if you're using Windows to encrypt your hard drive, this exploit might still be effective. From the very few details in the article, it modified the Windows boot files in memory while it's booting. If they can do that, then they just wait for you to log in and decrypt your hard drive, and their tainted processes have access to all your data.

Re:Physical Security is a big issue

[afidel]

The only way to inject code during boot if you are using bitlocker would be to use a DMA controller to do the injection. Firewire ports are one of the few devices commonly found in a PC with a DMA controller that can be used in this manner.

Re:Physical Security is a big issue

[imemyself]

If you're using full disk encryption with BitLocker or TrueCrypt or something then I doubt this would be effective. With both BitLocker and TrueCrypt, the only things that can be loaded without decrypting the drive is the bootloader/BitLocker/TrueCrypt software that prompts for the password or key. Unless someone has found a vulnerability in the actual encryption software that's used, I don't think it would be vulnerable in that way.

Re:Physical Security is a big issue

[mhall119]

From what I've read, it verifies that the BIOS and MBR are untouched, but I haven't read that it checks what is in RAM. This exploit modified what is in RAM only.

Physical access = root

If you got physical access already, it shouldn't be a surprise you can root the box.

Re:Physical access = root

[paroneayea]

Linux boxes are rootable. They *should* be rootable. The only time they aren't are when you don't have control any more (because of DRM & etc). But then they are only Linux in as much as the Kernel goes, not as much as the kind of Linux that Linux users advocate. I've recovered a broken plenty of times by popping in a boot cd and chrooting it.

The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

Re:Physical access = root

[blackest_k]

The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

funny how this kind of thing comes up at an appropriate moment ubuntu 9.04 on a fresh install asks do you want to encrypt your home directory and it will be seamlessly decrypted when you use it.

I thought about this, then decided against it, the risk of losing everything due to having it in an encrypted home folder out weighs the risk of my data being readable by someone having physical access to the machine. on the other hand having everything easily readable also doesn't appeal either so I compromised and decided to use ubuntu's built in encryption for files to protect the important but replaceable stuff.

Yes, why post this?

[Control-Z]

If someone has physical control of the machine, all bets are off.

Re:Yes, why post this?

[MyDixieWrecked]

In today's Virtual world, physical access to the machine doesn't mean meatspace access. My company and several of my friend's companies are looking into virtualized desktops by using small desktop boxes and low-end PCs to connect to PCs in the datacenter over either RDP or other proprietary protocols.

With the proliferation of cloud-based applications, it's only a matter of time before someone offers a browser-based virtual desktop in the cloud. Once someone hacks into some server up there, they have physical access to the machines for all intents and purposes.

This is a very interesting threat from a virtual infrastructure security standpoint.

Re:Yes, why post this?

[Lord+Ender]

Some disk encryption solutions, such as Checkpoint, rely on windows authentication to decrypt the disk. If this can be bypassed easily, it makes this disk encryption worthless.

It was obvious to crypto pros that it is theoretically worthless, but this is a practical attack against it.

Real disk encryption DOES protect them machine even with physical access. But "enterprise" software companies like Checkpoint sell snake-oil encryption quite well because engineers can "prove" it's flawed to management without a working exploit.

Re:Yes, why post this?

[greenguy]

OK, they're claiming that if they have physical access, they can take control while it boots.

Sounds like they simply waited for it to finish booting. Ta-dah! They have control of it!

Re:Yes, why post this?

[YesIAmAScript]

If you think accessing a machine through a browser is the same as having physical access "for all intents and purposes", then you aren't actually considering nearly enough intents and purposes.

You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

Re:Yes, why post this?

[vux984]

You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

You are thinking at the wrong level. You can't do that from inside the -guest-. But you CAN do it from the -host-. And you -can- potentially access the -host- remotely. After all, vmware server 2's administration for example is web based...

So if you hire some company to allocate you a VM and you run Windows 7 on it. And I can get remote control of the HOST, I now effectively have physical access to YOUR Windows 7 VM. Including 'inserting a disk' (by mapping your CDrom to an iso image) as it boots, inorder to use this physical-access exploit.

Re:Yes, why post this?

[Matheus]

Not that I really like cheering for M$ BUT what I take away from this article is that if these people are resorting to "physical-access" attacks to break Windows7 then maybe it has a chance of being a decently secure OS.

I can always hope :)

Who cares?

[Sj0]

Rule 1 of computers is, if someone has physical access to your machine, it has already been compromised. I always design my security around this fact, and if a machine needs to be secure against attack, it will be physically secure.

To recap...

[xmarkd400x]

You need full, physical control of a computer running Windows 7 in order to get software access to it?

A hack!

This is barely a hack. I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!

Boot from Live CD?

[neilobremski]

If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing? I'm confused about how this is a vulnerability.

Re:Boot from Live CD?

[rantingkitten]

I don't think their point was really about being able to control a machine to which you have physical access, because as you pointed out there are any number of ways to do that, on any operating system. But this is a little different -- you're not bypassing the OS somehow (as you would with a live CD, bootable USB, or whatever). Here, you're actually accessing boot files, which you shouldn't be able to do, and exploiting that. Also, they're pointing out that Microsoft makes idiotic assumptions -- like the one where the boot process itself is immune to attack. It's a dangerous and stupid assumption to make, and because of that, it looks like it was easy to take advantage of.

Anyone have a writeup of the actual exploit? I checked nvlabs and the hackinthebox conference site and didn't see anything.

Re:Boot from Live CD?

[Alsee]

It's a 'vulnerability' in the sense that the idiots at Microsoft came up with this Trusted Computing notion that the computer is supposed to be secured against the owner'.

Trusted Computing, Digital Rights Management, the new Windows model for the operating system, it is considered a 'vulnerability' if the owner is able to take control of his own computer. Of course the Trusted Computing party line, and the way this article was written, is to to call this anti-owner system a "security" system and to spin any attack on it as evil, but as virtually everyone here has already commented, this issue is about 'attacking' and gaining control over a computer you already physically control. And in general what 'attacker' already has physical control of the computer? The owner. An owner-attacker who wants to control his own computer, and override DRM or Trusted Computing lockouts against the owner. The entire new Windows driver model is that the owner is forbidden to run unapproved drivers, because such drivers could be used to break DRM or gain control of other Trusted Windows systems. If/when Windows does permit you to run unapproved drivers, it dumps you down into an unTrusted unprivileged state. As I recall, Windows Vista even locks you out of the entire Aero mode Aero interface if you try to load an unapproved driver.

-

Re:Boot from Live CD?

[Ironica]

If they did secure it, you can get the same end result WITHOUT HACKING it.

No, you can't.

The end result of this attack is a machine which is booted from the regular hard drive, in the user's usual account... but is *remotely* accessible.

So, in your typical office environment with fairly pathetic physical security, you could slip in at 5:00 a.m., boot someone's computer with this doohickey, then leave. When they get to work in the morning, they thing "Huh, thought I shut my machine down last night... oh well" and go on about their day. You capture every username and password they type, all the data they access... everything they do.

It's a niche exploit, but it's not *totally* useless.

Critical information missing

[drsmithy]

There's a rather important aspect of this that's not discussed - how does this code get onto the computer in the first place to be executed during boot ?

Re:Critical information missing

[Sockatume]

A bootable CD-ROM that then boots the OS while performing the in-memory patching required to make the machine vulnerable.

Re:Critical information missing

[amliebsch]

Another important piece of missing information: was BitLocker turned on? Did this defeat the full-disk encryption? THAT would be a story. Otherwise, BFD.

Re:Critical information missing

[Sicarul]

If that's the case then it's as vulnerable as it would be if you let it boot any LiveCD, if booting from CD is disabled in the BIOS and it is protected by password this flaw isn't applicable... It isn't a serious flaw, how did this get to be a top story??

sheeeet, negro. that's all you had to say!

[gandhi_2]

This is contrasted with Mac OSX which uses a combination of Gracie-style Brazilian Jiu Jitsu, Hapkido, and oratorical prowess to keep would-be haxors at bay while the police are enroute. Or the Linux lack of social skills which avoids "physical access" altogether.

Re:sheeeet, negro. that's all you had to say!

[RoboRay]

Are you kidding? All I need to hack your system is a razor blade and a roll of masking tape!

Re:I cannot believe it...

[gnick]

OK, I'm not a Mac guy so I can say nothing about it. I've also not used Windows 7.

But, really. If you give me physical access to damned near any Windows or Linux machine, it's owned. And there are a lot of people out there a helluva lot better then me.

Sure, I won't be able to crack your encrypted archives. Nor your well-protected stored passwords. But hacking root/admin with physical access to the box isn't rocket science. Actually, it's much tougher with Vista than any Linux distro I've run into.

Mindless bashing

Im as anti-microsoft as the rest of you (at least the intelligent folk), but are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

I would assume the only way to be immune against this type of attack would be encrypting the system partition, and a "bootkit" as they seem to be calling it that is aware of encryption may even be able to deal with that.

Whats the story here again? That booting into a secondary OS gives you full control of data on an unencrypted hard drive?

Re:YOU weren't posting, ken dawson was

[VisualD]

Also restarts kill it. This is Windows we're talking about here...

Re:YOU weren't posting, ken dawson was

[bennomatic]

I was going to say... if you have physical access, you can take out the hard drive, put it in another box, muck around with the data in any way you want and put it back. I'm an Apple fanboi at heart, but, geeze, this seems like a big, honkin' "What-ever!" to me.

Attack requires editing RAM contents during boot

[Sockatume]

The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot. The attacker loads an app from a CD-ROM which then itself executes the normal Windows boot process while agressively patching software in memory. This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

For a smart guy, dumb statement

[furby076]

'There's no fix for this. It cannot be fixed. It's a design problem,

There is always a fix. Every vulnerability is a "design problem". Sometimes the code to fix it is a separate app (e.g. firewall, virus protection), and sometimes it requires modification to the code. There is always a fix in software - it's just a matter of making it.

This guy stating there is no fix, it can't be fixed is making statements about as dumb as those who say their favorite OS (e.g. OS X) is immune from any virus/worms/hacks.

Re:For a smart guy, dumb statement

[JasterBobaMereel]

He is right there is no fix .... however the workarounds are pretty good ...

If you are booting, then load the boot software at a random location, like they do with other programs once the system is running, and this hack will be *much* more difficult

It's just that, as he says, Windows 7 assumes that during the boot process no user program can change things and it has complete control....

If you are running in a virtual machine you *never* have complete control and so this will always work on any OS, but you can make it difficult ....

Misleading title

[tuxgeek]

At first glance at the thread title, my first thought was pop a Linux CD into the drive and reboot
Voila no more Win7

Re:Attack requires editing RAM contents during boo

[rs232]

"The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"

'The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'

I thought BitLocker was supposed to defend against such exploits if the boot sequence was altered?

Re:Attack requires editing RAM contents during boo

[vux984]

This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

Even that wouldn't matter, because the first thing I'd in-memory patch is the checksum algorithm to always return 'ok'.

The only real way to resolve this would be a-la console style 'trusted computing, and digital signatures through the whole bios and bootstrap process'. Of course, even this could be 'hacked' or 'modchipped' but at least it wouldn't be as simple as just putting in a disk.

There is no security if they have enough physical access.

Re:I cannot believe it...

[MyLongNickName]

Hi. I see you are making fun of a "security vulnerability". This vulnerability involves being physically present at a PC and being able to boot it. This is a security vulnerability in the same way that my house is insecure to folks who I invite over for dinner.

You obviously have no clue, and I would recommend not posting in security vulnerabilities discussions any more.

kthxbai.

Why you are posting this

[DaveV1.0]

Because you are a Microsoft hating troll

The reason

[kenp2002]

... the reason you are posting this article is to spread anti-microsoft hate and FUD for no reason.

Why not post:

With a gentoo install CD you can gain control of any linux system by overwriting key /etc/ files to give yourself root access unless you use encrypted drives...

More useless propaganda from an MS-hater. I mean seriously, this is news? Next thing you'll post is the Windows 7 has a horrible exploit that crashes it every time you shoot the PC with a shot gun.

Don't we have a NO FUD policy for articles?

"Everyone is entitled to be stupid, but some abuse the privilege", as a result of this abuse, your Stupid License has been suspended for 60 days.

Re:I cannot believe it...

[DavidChristopher]

In the absence of physical security, taking over a vista, linux, mac os x or (insert vendor here) UNIX system is not difficult, providing you know the platform. No, the 'average gramma' can't do it, but most of us most likely can - with not much more than a google search and a quick download.

I'm not a microsoft (or apple, or linux) fanboi by any means, but a system is only as secure as you actually make it. Disk encryption helps - it's a great idea - so I've honestly never met anyone who's used it.

While this is certainly an interesting exploit, I doubt highly that many systems will be compromised in the wild with it.

Not necessarily

[SpooForBrains]

The standard method of securing the data on your machine, which is what's important, is to encrypt it. So even if someone rips open the box, takes out the disk and puts it in another machine, the data should be safe, assuming the encryption algorithm and the user authentication processes are secure.

However, if this exploit allows them access to the operating system on the disk, and allows them to subvert the user authentication process to grant themselves access to a user's account, then the data is compromised.

So this exploit may have an application, not as an attack vector for writing a propagating worm or virus, but as a means to gain access to otherwise secure data.

Re:I cannot believe it...

[Sir_Lewk]

much tougher with Vista than any Linux distro I've run into.

And us linux users consider that a feature.

Missing the point folks...

[minsk]

Everyone talking about this being irrelevant is missing the point. This attack does not make users significantly more vulnerable. Instead, it makes Windows more vulnerable to users.

Hacking your own machine sounds laughable. But as long as vendors restrict usage, we need to keep reminding them that DRM is a fool's quest.

Re:I cannot believe it...

[gnick]

Yes - My first system breach (not counting MS systems that were completely unsecured - I mean actually circumventing security) in the wild was back in the early 90's - A university *nix system. The thing that made (makes) *nix such an easy target is that you can actually understand how it works. Windows is full of holes, but it's so frigging weird and hard to wrap your head around the bizarre OS that the casual cracker won't bother learning what's going on. If your only goal is to satisfy some childish desire to breach security and smugly toss your hands in the air and declare yourself an 31337 hacker (as was my case), Linux is the way to go.

Agreed - Being able to understand your OS is indeed a feature for people living in Linux world.

Re:I cannot believe it...

[perryizgr8]

bios passwords are a joke. on my hp pavillion, if i slide open the side cover and shake up the cell on the mobo, it forgets all bios settings and the password too.

Agent Phil has something to say...

[geekmux]

If someone has physical control of the machine, all bets are off.

Ah, apparently you've never heard of Phil Zimmerman or have ever seen a James Bond movie, have you?

Point here is there is quite a bit that has and can be done even at the physical layer. Drive Encryption (PGP) is but one option, and given the track record of PGP, I'd say a pretty damn good one. TrueCrypt is a great free alternative too.

And I for one am glad this was posted. Just helps enlighten everyone on the importance of good security practice regardless of how shiny and new the OS is.

There are no foolproof Operating Systems out there, just fools who think there are.

Re:YOU weren't posting, ken dawson was

[Computershack]

How is it any different to shoving in a Linux Live CD, running BartPE or running Windows setup, doing a repair install and sticking your own account on?

Re:I cannot believe it...

[DMUTPeregrine]

Whereas with Linux you just boot into single user mode & use passwd to set the root password.

Re:I cannot believe it...

[SanityInAnarchy]

I'll correct you a bit further -- there are different kinds of physical access. For instance, a public computer lab might have machines which have their case locked, both to prevent it from being opened and to prevent it from being locked down, BIOS locked and configured to boot only from hard disk, bootloader locked, etc.

On such a machine, there's really not a lot you can do to compromise it without some sort of actual software vulnerability or misconfiguration. You might be able to add a physical keylogger -- maybe -- depends how kiosk-ified it is.

However, this does not appear to be such an attack. Rather, it seems this is an attack which requires you to boot the machine off of some other media. Most machines are wide open to this in many ways -- the more frightening one was PXE; just plug a laptop into the same network and own every machine as it boots.

But Vista is not unique in this respect, and I cannot imagine how an OS could protect itself against such an attack. And even network boots can be secured, if you can add just a kernel and initrd to local storage.

Re:I cannot believe it...

[tixxit]

Unless, of course, the admin has set the box up to require a password for single user mode as well.

Re:I cannot believe it...

[mjeffers]

My case came with one of those case locks. The manufacturer forgot to ship the key. Turned out the key to my luggage is about the same size and I was able to get into it in a few minutes. While there are probably more secure solutions than the one on my PC, picking a lock isn't much of a roadblock.

Re:Attack requires editing RAM contents during boo

[necrogram]

try leaving a bootable cd in a bitlockered system. vista wont boot with it in the drive. bitlocker is pretty tough

Re:YOU weren't posting, ken dawson was

[home-electro.com]

This is a very old news. A similar article was posted about a year ago. New guy - same shit. The attacker needs a physical access to the PC, which is absolute no-fair. Why the fukc you need to fuss around, when you just can take the whole thing home?

The same can be said about any OS -- if you allowed to mess with its files, you can make a rootkit. How dumb one have to be to make a story out of this nonsense?

OMG, "There is no fix for this, it is a design problem". You damn right, it is a design problem. IN YOUR HEAD.

It can also be installed without physical access

[ens0niq]

From an interview with authors:

http://www.securityfocus.com/columnists/442/2

"How can an attacker deploy it?

Nitin & Vipin: An attacker doesn't need to install, that's the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting. After Vista boots, you can verify that you are running vbootkit, by checking the privilege of any running cmd.exe, the sample converts all low-privileged cmd.exe process to SYSTEM privileges. It also supports system compromise via PXE booting.

It doesn't need any privileges only physical access to the machine. It can also be installed to a remote system under some conditions (without physical access)."