Skip to content

(English) Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops

Ten post nie jest dostępny w języku polskim!

{ 10 } Comments

  1. tobi | 10-lis-12 at 15:34:52 | Permalink

    Yeah I enjoyed this post.

    Although this is a mostly uninteresting kind of exploit, I feel that Windows contains tons of place where one could elevate from standard user to system using similar techniques.

    When I scanned the leaked W2k kernel sources I really noticed a lot of unvalidated user-mode arguments and mutation of shared, unsynchronized state. I think it is (or was) a mess.

  2. omeg | 14-lis-12 at 06:34:54 | Permalink

    Ah, the memories! ;)

  3. marsh mellow | 14-lis-12 at 21:27:31 | Permalink

    The nature of memory operations performed by the ObfDereferenceRoutine routine upon an object is fairly straight-forward:

    1. .text:0045447C lea esi, [ebx-18h] ; ebx = object
    2. [...]
    3. .text:00454499 or edi, 0FFFFFFFFh
    4. .text:0045449C lock xadd [esi], edi

    Mabey i am utherly rusted but it takes alot of imagination to go from prinout 1 to 4 and assume
    that the function automatically decrement the value by “256” as stated.

    As your trace shown.

    1ff
    1f8 delta: 7
    12f delta: 201
    0ff delta: 48
    000 delta: 255

    Obviously there might be other arcane left to the readers to find
    but if thats the case why don’t you wait for disclosure to actually publish.

  4. hello | 15-lis-12 at 03:53:15 | Permalink

    when load driver,the Program Compatibility Assistant dialog show,but the driver has loaded success. So why the PCA dialog show and how to fuck this?

  5. j00ru | 15-lis-12 at 04:06:23 | Permalink

    @tobi: erm… I don’t think scanning through W2k kernel sources is by any means legal unless you’re a Microsoft employee. Anyway, it’s true that win32k.sys is intensely messy and there’s a lot of fishy action going on there. Perhaps it’s the largest source of local and remote vulnerabilities in the Windows kernel ever. Looking forward to your reporting some of them ;)

    @omeg: hehe ;-)

    @marsh mellow: maybe it’s high time to get some imagination? None of the other readers complained.

    @hello: not sure if I understand correctly, but I assume that you’re referring to the ability to load unsigned drivers while the system is in debug mode (i.e. with windbg attached remotely). Have you tried loading a driver with remote debugging disabled?

  6. marsh mellow | 15-lis-12 at 05:38:09 | Permalink

    “None of the other readers complained” … well im not complaining im just highlighting the fastforward assumption without details.

    I understand you might not want people to recreate it right off the shelf, but if i read something that disclose and issue why not detail it correctly.

    And last time i tried to compile imagination, i couldn’t, lack of memory.

  7. j00ru | 15-lis-12 at 05:43:44 | Permalink

    @marsh mellow: really, I think it’s pretty clear what the listing shows (four breaks in random intervals during the process of decrementing the value by one 256 times) based on the context, and let’s stop there.

  8. hello | 15-lis-12 at 06:45:30 | Permalink

    I mean when I exploit success(aka. nt!g_cienabled has been set to 0), then when I load a unsigned driver, the “Program Compatibility Assistant” dialog appear and says “Windows requires a digitally signed driver…”, of course the driver loaded successfully. but I don’t want the PCA dialog show.

  9. marsh mellow | 15-lis-12 at 11:13:06 | Permalink

    Well the sipset from ObDereferenceObject fail to match a nice msdn page.

    Why put disassembly thats incomplete when people can read plain english.

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff557724(v=vs.85).aspx

  10. Yuhong Bao | 10-gru-12 at 21:06:53 | Permalink

    “Perhaps it’s the largest source of local and remote vulnerabilities in the Windows kernel ever.”
    The funny thing is when NT 4.0 was released back in 1996, WinFrame already existed based on NT 3.51 with *per-session* CSRSS, but NT4 TSE was not released until 1998.

{ 3 } Trackbacks

  1. [...] with the OS in the default configuration to trigger Blue Screens of Death from user-mode, and implementing a complete bypass of the functionality by using a design flaw in how the CSRSS subsystem interacts with the win32k.sys kernel module, I am [...]

  2. [...] j00ru//vx tech blog: Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops [2] Visual Studio 2012 Remote Tools [3] Using the complete Windows API in store apps (mamaich at [...]

  3. [...] such smirch was documented by Google-employed certainty researcher Mateusz “j00ru” Jurczyk in Nov 2011. Certain [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *