Comments on: Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops

By: Old Click » First cracks appear in Windows RT's locked-down desktop

Old Click » First cracks appear in Windows RT's locked-down desktop — Tue, 08 Jan 2013 19:01:46 +0000

[...] such smirch was documented by Google-employed certainty researcher Mateusz “j00ru” Jurczyk in Nov 2011. Certain [...]

By: Circumventing Windows RT’s Code Integrity Mechanism « On the Surface of Security

Sun, 06 Jan 2013 02:09:35 +0000

[...] j00ru//vx tech blog: Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops [2] Visual Studio 2012 Remote Tools [3] Using the complete Windows API in store apps (mamaich at [...]

By: Yuhong Bao

Yuhong Bao — Tue, 11 Dec 2012 04:06:53 +0000

“Perhaps it’s the largest source of local and remote vulnerabilities in the Windows kernel ever.”
The funny thing is when NT 4.0 was released back in 1996, WinFrame already existed based on NT 3.51 with *per-session* CSRSS, but NT4 TSE was not released until 1998.

By: Defeating Windows Driver Signature Enforcement #3: The Ultimate Encounter | j00ru//vx tech blog

Mon, 10 Dec 2012 09:04:13 +0000

[...] with the OS in the default configuration to trigger Blue Screens of Death from user-mode, and implementing a complete bypass of the functionality by using a design flaw in how the CSRSS subsystem interacts with the win32k.sys kernel module, I am [...]

By: marsh mellow

marsh mellow — Thu, 15 Nov 2012 18:13:06 +0000

Well the sipset from ObDereferenceObject fail to match a nice msdn page.

Why put disassembly thats incomplete when people can read plain english.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff557724(v=vs.85).aspx

By: hello

hello — Thu, 15 Nov 2012 13:45:30 +0000

I mean when I exploit success(aka. nt!g_cienabled has been set to 0), then when I load a unsigned driver, the “Program Compatibility Assistant” dialog appear and says “Windows requires a digitally signed driver…”, of course the driver loaded successfully. but I don’t want the PCA dialog show.

By: j00ru

j00ru — Thu, 15 Nov 2012 12:43:44 +0000

@marsh mellow: really, I think it’s pretty clear what the listing shows (four breaks in random intervals during the process of decrementing the value by one 256 times) based on the context, and let’s stop there.

By: marsh mellow

marsh mellow — Thu, 15 Nov 2012 12:38:09 +0000

“None of the other readers complained” … well im not complaining im just highlighting the fastforward assumption without details.

I understand you might not want people to recreate it right off the shelf, but if i read something that disclose and issue why not detail it correctly.

And last time i tried to compile imagination, i couldn’t, lack of memory.

By: j00ru

j00ru — Thu, 15 Nov 2012 11:06:23 +0000

@tobi: erm… I don’t think scanning through W2k kernel sources is by any means legal unless you’re a Microsoft employee. Anyway, it’s true that win32k.sys is intensely messy and there’s a lot of fishy action going on there. Perhaps it’s the largest source of local and remote vulnerabilities in the Windows kernel ever. Looking forward to your reporting some of them ;)

@omeg: hehe ;-)

@marsh mellow: maybe it’s high time to get some imagination? None of the other readers complained.

@hello: not sure if I understand correctly, but I assume that you’re referring to the ability to load unsigned drivers while the system is in debug mode (i.e. with windbg attached remotely). Have you tried loading a driver with remote debugging disabled?

By: hello

hello — Thu, 15 Nov 2012 10:53:15 +0000

when load driver,the Program Compatibility Assistant dialog show,but the driver has loaded success. So why the PCA dialog show and how to fuck this?