Dailydave mailing list archives
Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB.
From: "Dave Korn" <dave.korn () artimi com>
Date: Thu, 26 Apr 2007 22:22:33 +0100
On 26 April 2007 21:09, Ed wrote:
On Thursday 26 April 2007 20:45, Dave Korn wrote:Code download page: http://www.nvlabs.in/?q=node/14The source code you have analized is not what we are talking about in the interview.
Ah, I must admit to not having realized that. However, I will point out that what they describe in their paper and presentation is the exact same method: hook int 13h at startup, patch each stage as it loads. The advanced (privilege escalation) version on that page does the raise-cmd.exe-every-30-seconds trick in the exact same way. I'd also like to point out that their code is buggy. They copy the token pointer from one _EPROCESS to another. They don't call ObReferenceObjectByPointer. Guess what? As soon as you exit that cmd.exe, it will dereference the token once. That's the system process' token, that is. Open another cmd.exe, wait 30 seconds for it to be elevated, close it again - the system process loses one more reference count on its token. Do it enough times, the reference count will fall to zero, the object manager will deallocate the system process' token, but the pointer will still be there in the system process' _EPROCESS block. I reckon you'd probably BSoD within milliseconds, but maybe it might last for a while - until the page gets swapped out or deallocated, or something overwrites it... I will concede that they've done at least some genuine work in reversing the integrity checks in the loader, but that's fairly routine stuff; bypassing a check by altering the test in a branch instruction is pretty trivial, it's about on the level of finding an infinite lives poke in a computer game.
They have not shared the code for Vista version, but as far as I know none of the attendees of their recent talks at BlackHat and HITB found anything "already seen". http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Kumar http://conference.hitb.org/hitbsecconf2007dubai/?page_id=116
That is pretty remarkable. I would have expected somebody to say something during the q'n'a session that most talks have at the end, if only to ask them "In what way does your technique *differ* from BootRoot?" Were you there yourself? Is there any online video or audio of their session? It's not like we would necessarily have heard if one of the attendees did find they'd already seen it.
P.S. This is not a tactic to force them to make their source code public, right?
Well, no, it's no tactic; I really thought that was the source they're referring to, and since the source they /are/ referring to does exactly the same things by using exactly the same techniques, I think it's reasonable to infer that they've probably got most of the same code in the vista version. My only intention was to call them out on their plagiarism. They crudely hacked about and ported eEye's code and didn't credit them. They've plugged in new payloads, but swapping one shellcode for another isn't news. The fact that the code that they /have/ chosen to release demonstrates a very poor understanding of kernel coding, and the fact that there's stuff in their code that they don't know why it's there or what it's for, makes me doubt they have anything extraordinary that they aren't showing us. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. Dave Korn (Apr 26)
- Message not available
- Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. Dave Korn (Apr 27)
- Message not available
- Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. Jeff Moore (Apr 27)
- Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. Joanna Rutkowska (Apr 27)
- Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. Michal Zalewski (Apr 27)
- Re: Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. dailydave (Apr 27)