WinRoute Pro and Memory Protection

[Peter Miller <pcmiller61 () YAHOO COM>]

Message Type: Informational

Risk: Low

Software: WinRoute Pro v4.1 all current builds.
          Other versions of WinRoute may also be affected but I have not
confirmed this.

Platform: Windows 2000

Description:
I have discovered that the WinRoute installer disables memory write
protection under Windows 2000. WinRoute refuses to run if memory write
protection is enable. Memory write protection enabled is the default for
Windows 2000.

The registry key affected is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management\EnforceWriteProtection

Disabling memory write protection can indirectly affect the stability and
security of the machine. Malicious software such as viruses will find it
easier to corrupt the system or hijack system processes. Buggy software will
crash the system more easily. A hacker may be able to use this information
to more easily penetrate a WinRoute firewalled system.

Tiny Software initially denied that they were disabling memory write
protection. After many email messages and sending them a sample capture
taken using regmon they have changed their tune. The current story is that
WinRoute needs to shim the operating system to be able to intercept
networking functionality at a low enough level to ensure security.

Below I quote their final message on the topic:

---

From: "Richard Gabriel" <richard () tinysoftware com>
To: "Peter Miller" <pcmiller61 () hotmail com>
Subject: WinRoute - memory protection in W2K

Hi Peter,

excuse me again. I needed to ask whole the development team to get the
following information:

WinRoute low-level driver (wrdrv.vxd / wrdrv.sys) needs to modify some
system data structures that pertain to another modules (and are read-only by
default). If "EnforceWriteProtection" would be set to "1" during this
action, Windows would throw an exception...
So it is required to turn off the Write Protection (this is done by the
Setup program).
At the boot time, WinRoute driver checks this value and if it's not equal to
"0", it doesn't try to "hook" system services (this would cause a system
crash) and exits - that means the driver doesn't load correctly and though
WinRoute cannot start.

As you probably know, Microsoft doesn't provide Windows source code and some
other information to us. To implement the low-level features and ensure the
full security and NAT functionality, we need to "hack" the kernel and
include our own drivers. This is impossible with WriteProtection enabled.


Regards,
Richard

---

I would welcome comment on this issue. Surely there is a better way of doing
things than disabling memory write protection?

What I like least about the whole situation is that nowhere in their
documentation does it warn you that WinRoute disables memory write
protection. Another example of security through obscurity?

Regards
Peter




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com