Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jan Rutkowski (jkrutkowski_at_ELKA.PW.EDU.PL)
Date: Fri Jan 03 2003 - 13:06:20 CST
Another Way To Bypass
Pedestal Software Integrity Protection Driver
Jan K. Rutkowski
IPD is an Open Source program to protect Windows 2000 kernel integrity.
Check the following page for more info:
In order to prevent loading malicious modules into kernel, IPD (among
other things) is protecting WINNT/system32/drivers directory, so that it is
impossible to modify any file contained in it. This is achieved by hooking
ZwCreatFile() and ZwOpenFile() kernel's functions and checking file path
using string comparison.
However, using NtCreateSymbolicLinkObject() function, attacker can cheat
IPD. She has to create symbolic link in "\??" object directory which will
point to "\??\c:\winnt\system32\drivers". Attacker is now able to access
drivers directory through new symbolic link, and this is not blocked by
An attacker must found entry in HKLM/SYSTEM/CurrentControlSet/Services,
that describes some driver, which is not loaded at the moment. There are
several such entries on default windows 2000 installation, for e.g.: IpNat,
which describes ipnat.sys driver.
Then attacker issue following command:
$ subst x: c:\winnt\system32\drivers
Now she is able to replace c:\winnt\system32\drivers\ipnat.sys with the
module of his choice, bypassing IPD protection of DRIVERS directory:
$ copy badmodule.sys x:\ipnat.sys
After this, she could insert her driver into kernel:
$ net start ipnat
Solution and Patch
Pedestal Software released a new version (1.4) which fixes the
vulnerability. See the IPD homepage.
The solution idea is simple: on start IPD opens each driver files and locks
it, so Windows doesn't allow to delete or overwrite these files. Nice.
Delivery co-sponsored by Prometric - More than testing, learning.
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.