Ring-0 Access

Martyr

Hi.
I've been reading some articles lately that describe ways of taking control over any NT workstation with a few lines of code.
The techniques used have been known for quite some time, as far back as NT 3.5 release.It is due to a flaw in the NT kernel which allows any user to execute code which would normally require certain privilages.
This gives any user with executable access on the system ownership of it..essentially.
Its not known yet if the code will work on Win2k, but again, its been said that its possible.
One way on NT, which has been in practice for many years on Win9x by Virus writers, is modifying the IDT (Interrupt Descriptor Table).
That is one way which works similar to how programmers could modify the IVT (Interrupt Vector Table) in MS-DOS with INT 21h function 25h.
When you modify the IVT in MS-DOS, you get the old interrupt vector address with function 35h, save it so that it can be replaced later.Then replace it using 25h, pointing to your routine/code. Although MS-DOS was always in Ring-0, it doesn't seem to matter on Windows that a normal user has Ring-3 Access, you can still modify the IDT and execute privilaged code.
I/O instructions for example would normally require administrator access on NT.
Maybe you all know about this already, but I haven't read anywhere on any forums about this security flaw.
Heres a link to what I was reading.

http://www.sonic.net/~undoc/ntcallgate.html

Anyone know anything about this feature?
29a virus writers have said this time last year they were studying ways of gaining Ring-0 access on NT systems.Perhaps they will produce some working examples soon..

Martyr

Here is a virus which also demonstrates the problem on NT operating systems.

http://www.coderz.net/29a/29a-5/29a-5.501

I thought that this problem would have interested people alot more than it seems to have, mainly administrators of NT systems, simply because it doesn't seem well documented and seems very easily done.
I mean, how could anyone take NT seriously as a protected mode operating system with this problem existing..?

Koopa

interesting

ecksor

Hey Joe.

This is certainly interesting stuff, but where do you see the security implication? You say that "any user" can do this in NT, but the instructions say that installing the driver requires admin privileges to begin with ...

To clarify what I mean, this would obviously this would be a great way of subverting the NT kernel, but I'm not sure that I'd call it a weakness as such (any more than LKMs are a weakness of various unix kernels).

Koopa

Currently the function which is called through callgate has a restriction that it can not access any paged data. Therefore one needs to lock the data and code which is executed at ring 0 using VirtualLock. How to overcome this limitation will be described in our forthcoming book.

isnt this the reason they give why you have to install it as admin?
i dont know what paged data is.. is it just memory that is in use by a program, or something else?

ecksor

Installing any device driver should require admin priviliges.

In this context, 'paged data' probably means memory that has been paged out to disk (as in, virtual memory).

Martyr

Okay, i'm still reading about all this and yes, ok, it would require administrator access to install the device driver for the example to work.
Although I was going to say alot, seeing as I'm still learning about all this, I'll withdraw my comments and shut up for now, simply because I wouldn't be able to explain properly what I've read so far.
I do however understand the problem within the NT kernel, I also acknowledge that exploiting the flaw on NT in protected mode would be difficult, under some circumstances.
The flaw is easily exploited on Win9x, but you know how it is.
Also, on installing Virtual Device Drivers, there is an undocumented call on Win9x systems that doesn't require any installation of any files, perhaps these sort of surprises are effective in NT too.

http://www.coderz.net/29a/29a-3/29A-3.2_5

ecksor

Flaws in Win 9x are one thing, it doesn't claim to have anything in the way of a security model, but NT is a different kettle of fish. An administrator _should_ be able to install device drivers, which should mediate access from userland processes to privileged parts of the kernel, hardware, etc.

Perhaps you can disable this behaviour in the kernel as you can with certain versions of unix, (or maybe not), but I still don't see how this is unexpected or undesirable behaviour ...

Martyr

Well, like I said, I'm not gonna talk about it like an eckspert. *wee joke*
But, yeah, I would have to agree with you and say its not that important, and doesn't really indicate undesirable operation of the system.
Its not somthing to immediately worry about I would imagine.
But I mean, nobody really knows the internals of the NT Operating System except for the people that designed it and so I think it would be arrogant to dismiss the ideas of people who have been hacking it for so long.The same people who are also adamant its possible to jump from "user mode" to "supervisor mode" on ix86 in Windows using some code, or atleast want it that way.
They aren't kids, and I doubt all of them talk nonsense.
Yes, it can be done on Windows9x easily, and so, who knows,what next?
Never say never, someone will always want to prove you wrong.
I'm only discussing what they've said, I honestly can say I'm baffled and confused by some of the terminology and technical terms used when reading these articles.
I can't say "I know enough about it and know its possible" or "not possible" yet.
Theres alot to learn and there seems to be alot of determined individuals out there willing to prove this problem on NT and I wouldn't underestimate them just yet.
Perhaps Microsoft have dealt with these problems in Win2k, I don't know.
But if nothing comes of the problem within the year, i'll be convinced its not possible.