Windows Vista bootloader compromised!

04 April 2007

A presentation at Black Hat Europe 2007 by security researchers from India has blown the security of the Windows Vista bootloader wide open, and compromised the security model of Microsoft's latest operating system at the lowest levels. Vipin and Nitin Kumar of NV Labs figured out how to write what the popular press is calling a 'bootkit' that runs off of a bootable CD or DVD. The bootkit searches the primary drive for a copy of Windows Vista and executes it while making modifications to the code running in memory transparently - because the OS trusts the 'trusted' bootloader implicitly, it doesn't even try to block the modifications as they're made. It does this by using a technique from the days of DOS, by hooking BIOS interrupt INT13, which is used for accessing disks by track and sector. It should be noted that this method is kept around for compatibility's sake in PC hardware, and that it's been replaced by DMA (direct memory access) techniques, which operate at a much faster speed. The code modifications made hijack the security routines in Bootmgr.exe, Winload.exe, and NTOSKrnl.exe as they are pulled into memory, and return values that the OS expects to find when everything is hunky-dory, even though the values do not correspond to the actual state of the executing code.

Interestingly, they worked this method out with one of the final test releases of Vista, though they say that it'll work with production releases. They didn't use the production releases because they were too expensive to purchase... one has to wonder if the cost of Windows Vista (and later editions) is going to put a crimp in the white hat security community's game (though the black hats don't much care about such things).

Among the things that could be accomplished with this technique are sucking DRM-controlled content out of the system after it's been decrypted. Personally, I'm wondering how long it'll be before rootkits and infective agents are developed that insinuate themselves so deeply in the OS that the security measures in the operating system won't even let legitimate scanning software look for them.

One of the things that makes this attack impractical from the outside is that you have to boot off of external media for it to work. One thing I've noticed over the past year or two is that people tend to leave CDs, DVDs, and USB storage devices of all kinds connected to their systems all the time, and sometimes they forget that they're attached when they have to reboot (which doesn't happen as often anymore as people think it does). Modern BIOSes can, in fact, boot off of USB keys - I do it all the time with my Damn Small Linux keys at work. There is an excellent outline of the process here in the documentation, and you can rig up a USB key to boot Windows and DOS with this procedure, so the article in the Microsoft knowledge base isn't accurate anymore.

Or, come to think of it, you can use this utility written by H-P to do the same thing.

What I'm driving at is this: Get a couple of cheap USB keys (Hasufin and I found 32 MB keys at Target for $5us, and you can certainly get them for much less if you hunt), rig them up so that they are bootable, put a bootkit on it (you know that code's going to get out), and scatter them around your target facility. This tactic has worked for pen-testers in the recent past.

Now, let's be fair - it requires users to not only plug those keys in but reboot with them in place, which might not work on its own, but it's a start. It might work better on home users than in a corporate environment, especially if someone gets their hands on a bunch of USB keys that have commercial applications, such as H&R Block's Taxcut software, which you can pick up for a song at any good computer or home electronics store.

Now, you're probably wondering why you couldn't set up a USB key to automatically run an application whenever it's plugged in that forces the machine to reboot, which would logically cause the bootkit to run. The answer is because the autorun functionality of Windows only works on storage devices that the OS thinks are CDs or DVDs. This involves editing the registry, which came up as part of this discussion on the pen-test@securityfocus mailing list earlier this year. I've been working on a way of working around this but haven't finished the proof-of-concept code yet so I don't have any experimental results to post.

Still, this is a major security breakthrough.