Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.
Rutkowska blew the lid off last year’s Black Hat event with her landmark presentation ahead of the official Vista release where she demonstrated a virtualized rootkit called Blue Pill that took control over a Vista machine.
This year she brought a new pill and a few more tricks to take Vista to task.
“I’m going to talk about Vista kernel protection and why it doesn’t work,” Rutkowska boldly declared to the overflow crowd.
She then read a quote from Microsoft’s Vista documentation that stated that even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.
“There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem,” Rutkowska said.
She then displayed two examples, both from video drivers companies, to prove her point. In her view both the ATI Catalyst driver and the NVIDIA nTune Driver are bad in that they could be used as an attack vector to circumvent Vista kernel protection.
With the NVIDIA driver, Rutkowska alleged that the driver was able to read and write registers without any additional checks.
“The whole problem in NVIDIA is that the driver doesn’t do the proper checks and can do a write for an arbitrary registry.”
To add further insult to injury, the target machine doesn’t even need to have the bad driver on the system in order for the attacker to use it as an attack vector.
“The attacker could just include it as part of their own rootkit and then use it to exploit Vista,” Rutkowska said. “It doesn’t matter whether it’s a popular driver or not. We can bring it to the target system and exploit it.”
If having a bad third-party driver wasn’t bad enough, Rutkowska explained that an attacker could make their own buggy driver to use for an attack. According to her, Microsoft doesn’t require developers to submit their drivers to Microsoft for signing.
To prove her point, Rutkowska said she went to Microsoft partner site globalsign to get a driver certificate that cost $250.
“We can now sign whatever we want,” Rutkowska declared. “No one can prove that I intentionally built a bug.”
She said that she could just put the driver on her site and then anyone could use it to bundle with a rootkit and then exploit Vista. “But I don’t have to do this cause we have dozens of public drivers to exploit already.”
Then there is Blue Pill, the virtualized rootkit Rutkowska first unleashed to the world at last year’s Black Hat. That pill apparently has lost some of its efficacy and, as such, Rutkowska designed a new Blue Pill from scratch in May.
The new Blue Pill uses a para-virtualized layer and provides a thin hypervisor to control the operating system. Though some other research has argued that there are ways to detect and stop Blue Pill, Rutkowska disagreed and explained why in a great degree of technical detail.
“Disabling virtualization is like saying, ‘Disable your network card to defend against network attacks,'” Rutkowska smirked.
The new Blue Pill also supports nested virtual malware machine so one or more could run inside of another making it even more difficult to stop and or prevent.
The cause for all that Rutkowska found to be exploitable with Vista isn’t because of her pill, or so she alleged.
“Blue Pill is not a bug; it’s a design problem.”
Microsoft, Windows Vista, Black Hat 2007, BlackHat 2007, Exploits, Attacks, Intrusions, Vista exploits, Vista Vulnerabilities, Security Conference, Events, Conferences