Another Way To Bypass
Pedestal Software Integrity Protection Driver
('subst' vulnerability)
Jan K. Rutkowski
jkrutkowski@elka.pw.edu.pl
About IPD
----------
IPD is an Open Source program to protect Windows 2000 kernel integrity.
Check the following page for more info:
http://pedestalsoftware.com/intact/ipd/
The Bug
--------
In order to prevent loading malicious modules into kernel, IPD (among
other things) is protecting WINNT/system32/drivers directory, so that it is
impossible to modify any file contained in it. This is achieved by hooking
ZwCreatFile() and ZwOpenFile() kernel's functions and checking file path
using string comparison.
However, using NtCreateSymbolicLinkObject() function, attacker can cheat
IPD. She has to create symbolic link in "\??" object directory which will
point to "\??\c:\winnt\system32\drivers". Attacker is now able to access
drivers directory through new symbolic link, and this is not blocked by
IPD...
Proof-Of-Concept
-----------------
An attacker must found entry in HKLM/SYSTEM/CurrentControlSet/Services,
that describes some driver, which is not loaded at the moment. There are
several such entries on default windows 2000 installation, for e.g.: IpNat,
which describes ipnat.sys driver.
Then attacker issue following command:
$ subst x: c:\winnt\system32\drivers
Now she is able to replace c:\winnt\system32\drivers\ipnat.sys with the
module of his choice, bypassing IPD protection of DRIVERS directory:
$ copy badmodule.sys x:\ipnat.sys
After this, she could insert her driver into kernel:
$ net start ipnat
Solution and Patch
-------------------
Pedestal Software released a new version (1.4) which fixes the
vulnerability. See the IPD homepage.
The solution idea is simple: on start IPD opens each driver files and locks
it, so Windows doesn't allow to delete or overwrite these files. Nice.
