Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB.

["Dave Korn" <dave.korn () artimi com>]

On 26 April 2007 21:09, Ed wrote:

> On Thursday 26 April 2007 20:45, Dave Korn wrote:
> > Code download page: http://www.nvlabs.in/?q=node/14
>
> The source code you have analized is not what we are talking about in the
> interview.

  Ah, I must admit to not having realized that.  However, I will point out
that what they describe in their paper and presentation is the exact same
method: hook int 13h at startup, patch each stage as it loads.  The advanced
(privilege escalation) version on that page does the
raise-cmd.exe-every-30-seconds trick in the exact same way.

  I'd also like to point out that their code is buggy.  They copy the token
pointer from one _EPROCESS to another.  They don't call
ObReferenceObjectByPointer.  Guess what?  As soon as you exit that cmd.exe, it
will dereference the token once.  That's the system process' token, that is.
Open another cmd.exe, wait 30 seconds for it to be elevated, close it again -
the system process loses one more reference count on its token.  Do it enough
times, the reference count will fall to zero, the object manager will
deallocate the system process' token, but the pointer will still be there in
the system process' _EPROCESS block.  I reckon you'd probably BSoD within
milliseconds, but maybe it might last for a while - until the page gets
swapped out or deallocated, or something overwrites it...

  I will concede that they've done at least some genuine work in reversing the
integrity checks in the loader, but that's fairly routine stuff; bypassing a
check by altering the test in a branch instruction is pretty trivial, it's
about on the level of finding an infinite lives poke in a computer game.

>  They have not shared the code for Vista version, but as far as I
> know none of the attendees of their recent talks at BlackHat and HITB found
> anything "already seen".
>
> http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Kumar
> http://conference.hitb.org/hitbsecconf2007dubai/?page_id=116

  That is pretty remarkable.  I would have expected somebody to say something
during the q'n'a session that most talks have at the end, if only to ask them
"In what way does your technique *differ* from BootRoot?"

  Were you there yourself?  Is there any online video or audio of their
session?  It's not like we would necessarily have heard if one of the
attendees did find they'd already seen it.

> P.S. This is not a tactic to force them to make their source code public,
> right?

  Well, no, it's no tactic; I really thought that was the source they're
referring to, and since the source they /are/ referring to does exactly the
same things by using exactly the same techniques, I think it's reasonable to
infer that they've probably got most of the same code in the vista version.

  My only intention was to call them out on their plagiarism.  They crudely
hacked about and ported eEye's code and didn't credit them.  They've plugged
in new payloads, but swapping one shellcode for another isn't news.

  The fact that the code that they /have/ chosen to release demonstrates a
very poor understanding of kernel coding, and the fact that there's stuff in
their code that they don't know why it's there or what it's for, makes me
doubt they have anything extraordinary that they aren't showing us.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave