|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: WinRoute Pro and Memory Protection
From: Peter Miller (pcmiller61
YAHOO.COM)Date: Tue Jan 02 2001 - 15:07:26 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Message Type: Informational
Risk: Low
Software: WinRoute Pro v4.1 all current builds.
Other versions of WinRoute may also be affected but I have not
confirmed this.
Platform: Windows 2000
Description:
I have discovered that the WinRoute installer disables memory write
protection under Windows 2000. WinRoute refuses to run if memory write
protection is enable. Memory write protection enabled is the default for
Windows 2000.
The registry key affected is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management\EnforceWriteProtection
Disabling memory write protection can indirectly affect the stability and
security of the machine. Malicious software such as viruses will find it
easier to corrupt the system or hijack system processes. Buggy software will
crash the system more easily. A hacker may be able to use this information
to more easily penetrate a WinRoute firewalled system.
Tiny Software initially denied that they were disabling memory write
protection. After many email messages and sending them a sample capture
taken using regmon they have changed their tune. The current story is that
WinRoute needs to shim the operating system to be able to intercept
networking functionality at a low enough level to ensure security.
Below I quote their last message on the topic:
---From: "Richard Gabriel" <richard
Hi Peter,
excuse me again. I needed to ask whole the development team to get the following information:
WinRoute low-level driver (wrdrv.vxd / wrdrv.sys) needs to modify some system data structures that pertain to another modules (and are read-only by default). If "EnforceWriteProtection" would be set to "1" during this action, Windows would throw an exception... So it is required to turn off the Write Protection (this is done by the Setup program). At the boot time, WinRoute driver checks this value and if it's not equal to "0", it doesn't try to "hook" system services (this would cause a system crash) and exits - that means the driver doesn't load correctly and though WinRoute cannot start.
As you probably know, Microsoft doesn't provide Windows source code and some other information to us. To implement the low-level features and ensure the full security and NAT functionality, we need to "hack" the kernel and include our own drivers. This is impossible with WriteProtection enabled.
Regards, Richard
---
I would welcome comment on this issue. Surely there is a better way of doing things than disabling memory write protection?
What I like least about the whole situation is that nowhere in their documentation does it warn you that WinRoute disables memory write protection. Another example of security through obscurity?
Regards Peter
_________________________________________________________ Do You Yahoo!? Get your free
_____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]