Bypassing Integrity Protection Driver (time vulnerability)

[Jan Rutkowski <jkrutkowski () elka pw edu pl>]

        Bypassing Pedestal Software Integrity Protection Driver
                         (time vulnerability)

                           Jan K. Rutkowski
                      jkrutkowski () elka pw edu pl

What is IPD?
------------
Taken from the IPD's readme:

"The IPD is an Open Source device driver designed to prohibit the
 installation of new services and drivers and to protect existing
 drivers from tampering. It installs on Windows NT and Windows 2000
 computers.
 [...]
 This driver was created to provide protection against rootkit
 installation by attempting to block any new kernel code from being
 installed and executed. This will help to prevent tojan hiding from
 integrity checking programs such as Intact.  "

To to give administrator possibility to uninstall IPD, the driver
starts protecting the system 20 minutes after being loaded.  This is
acceptable, because we can assume that right after reboot server can
be disconnected from the Internet.

The Bug
------------
In order to provide 20 minutes delay on startup, restrictEnabled()
function is used. It is called from other functions to check, whether
they should be restrictive about various actions (like loading
drivers) or not:

int restrictEnabled() {
  LARGE_INTEGER curtime, diff;
  KeQuerySystemTime(&curtime);
  diff = RtlLargeIntegerSubtract(curtime, Globals.DRIVERSTARTTIME);

  if (RtlLargeIntegerGreaterThan(diff,
                                 Globals.RESTRICT_STARTUP_TIMEOUT))
    return 1;
  return 0;
}

One can easy circumvent IPD's protection by turning system clock back.
(Yes, one must own SeSystemtimePrivilage, but that is not a problem
when the attacker has gained privileged access to the system).


Proof-Of-Concept
------------
00:00 [real admin starts IPD on his server]
 c:\ipd>ipdinstall.exe start
 [...]
 The driver will engage in 20 minutes.
 c:\ipd>

00:21 [IPD starts protecting the system from inserting drivers]
 ...
13:13 [a bad hacker comes in to the system]
 c:\alamakota> time
 [now he turns the clock 14 hours back]
 c:\alamakota> w2k_load verybaddrv.sys
 c:\alamakota> time
 [he restores the original time]
 [system is compromised]

This was tested against IPD 1.2.

Patch
------------
I have contacted Pedestal Software, and they released (on Monday 2/12/2002)
a new version (1.3), which fixes this vulnerability. This can be
downloaded form IPD home page (see References below).

Postscriptum
------------
Another IPD vulnerability, was described by crazylord in the last
issue of phrack. He showed how to cheat IPD so that it allows writing
to /Device/Physicalmemory (by creating a symlink).

This vulnerability has also been fixed in the new version 1.3.

References
------------
* IPD homepage:
        http://pedestalsoftware.com/intact/ipd/

--
jan