Bugtraq mailing list archives
WinRoute Pro and Memory Protection
From: Peter Miller <pcmiller61 () YAHOO COM>
Date: Sat, 30 Dec 2000 21:18:32 +0200
Message Type: Informational Risk: Low Software: WinRoute Pro v4.1 all current builds. Other versions of WinRoute may also be affected but I have not confirmed this. Platform: Windows 2000 Description: I have discovered that the WinRoute installer disables memory write protection under Windows 2000. WinRoute refuses to run if memory write protection is enable. Memory write protection enabled is the default for Windows 2000. The registry key affected is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection Disabling memory write protection can indirectly affect the stability and security of the machine. Malicious software such as viruses will find it easier to corrupt the system or hijack system processes. Buggy software will crash the system more easily. A hacker may be able to use this information to more easily penetrate a WinRoute firewalled system. Tiny Software initially denied that they were disabling memory write protection. After many email messages and sending them a sample capture taken using regmon they have changed their tune. The current story is that WinRoute needs to shim the operating system to be able to intercept networking functionality at a low enough level to ensure security. Below I quote their final message on the topic: --- From: "Richard Gabriel" <richard () tinysoftware com> To: "Peter Miller" <pcmiller61 () hotmail com> Subject: WinRoute - memory protection in W2K Hi Peter, excuse me again. I needed to ask whole the development team to get the following information: WinRoute low-level driver (wrdrv.vxd / wrdrv.sys) needs to modify some system data structures that pertain to another modules (and are read-only by default). If "EnforceWriteProtection" would be set to "1" during this action, Windows would throw an exception... So it is required to turn off the Write Protection (this is done by the Setup program). At the boot time, WinRoute driver checks this value and if it's not equal to "0", it doesn't try to "hook" system services (this would cause a system crash) and exits - that means the driver doesn't load correctly and though WinRoute cannot start. As you probably know, Microsoft doesn't provide Windows source code and some other information to us. To implement the low-level features and ensure the full security and NAT functionality, we need to "hack" the kernel and include our own drivers. This is impossible with WriteProtection enabled. Regards, Richard --- I would welcome comment on this issue. Surely there is a better way of doing things than disabling memory write protection? What I like least about the whole situation is that nowhere in their documentation does it warn you that WinRoute disables memory write protection. Another example of security through obscurity? Regards Peter _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- WinRoute Pro and Memory Protection Peter Miller (Jan 02)
- <Possible follow-ups>
- WinRoute Pro and Memory Protection Peter Miller (Jan 10)