Another way to bypass Integrity Protection Driver ('subst' vuln)

From: Jan Rutkowski (jkrutkowski@ELKA.PW.EDU.PL)
Date: 01/03/03

  • Next message: Russ: "Osama will smite the Internet on Saturday!"
    Date:         Fri, 3 Jan 2003 20:06:20 +0100
    From: Jan Rutkowski <jkrutkowski@ELKA.PW.EDU.PL>

                               Another Way To Bypass
                   Pedestal Software Integrity Protection Driver
                              ('subst' vulnerability)

                               Jan K. Rutkowski

    About IPD
    IPD is an Open Source program to protect Windows 2000 kernel integrity.
    Check the following page for more info:


    The Bug
    In order to prevent loading malicious modules into kernel, IPD (among
    other things) is protecting WINNT/system32/drivers directory, so that it is
    impossible to modify any file contained in it. This is achieved by hooking
    ZwCreatFile() and ZwOpenFile() kernel's functions and checking file path
    using string comparison.

    However, using NtCreateSymbolicLinkObject() function, attacker can cheat
    IPD. She has to create symbolic link in "\??" object directory which will
    point to "\??\c:\winnt\system32\drivers". Attacker is now able to access
    drivers directory through new symbolic link, and this is not blocked by

    An attacker must found entry in HKLM/SYSTEM/CurrentControlSet/Services,
    that describes some driver, which is not loaded at the moment. There are
    several such entries on default windows 2000 installation, for e.g.: IpNat,
    which describes ipnat.sys driver.

    Then attacker issue following command:

    $ subst x: c:\winnt\system32\drivers

    Now she is able to replace c:\winnt\system32\drivers\ipnat.sys with the
    module of his choice, bypassing IPD protection of DRIVERS directory:

    $ copy badmodule.sys x:\ipnat.sys

    After this, she could insert her driver into kernel:

    $ net start ipnat

    Solution and Patch
    Pedestal Software released a new version (1.4) which fixes the
    vulnerability. See the IPD homepage.

    The solution idea is simple: on start IPD opens each driver files and locks
    it, so Windows doesn't allow to delete or overwrite these files. Nice.

    Delivery co-sponsored by Prometric - More than testing, learning.

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.


    Relevant Pages