Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Protection Bypass Vulnerability in Pedestal Software's Integrity Protection Driver for Windows 2000
A vulnerability in the IPD 1.3 for Windows 2000 can permit an attacker to bypass the driver's kernel protection.
Ken Pfeil
January 5, 2003
3 Min Read
Reported January 3, 2003, by JanRutkowski.
VERSIONS AFFECTED
Pedestal Software’s Integrity Protection Driver (IPD) 1.3 for Windows 2000.
DESCRIPTION
Avulnerability in the IPD 1.3 for Windows 2000 can permit an attacker to bypassthe driver’s kernel protection. Using Win2K's NtCreateSymbolicLinkObject()function, the attacker can bypass IPD protection by creating a symbolic link inthe ?? object directory that points to ??C:winntsystem32drivers.
DEMONSTRATION
The discoverer posted thefollowing scenario as proof of concept:
Proof Of Concept
-----------------
An attacker must find an entryin the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services registry subkey thatdescribes a driver that isn't currently loaded. A default Windows 2000installation contains several such entries (e.g., IpNat, which describes theipnat.sys driver).
Then attacker then enters thefollowing command:
$ subst X: C:winntsystem32drivers
The attacker can then replaceC:winntsystem32driversipnat.sys with the module of his or her choice,bypassing IPD protection of the drivers directory:
$ copy badmodule.sys X:ipnat.sys
Now, the attacker can inserthis or her driver into the kernel:
$ net start ipnat
VENDOR RESPONSE
PedestalSoftware has released Integrity Protection Driver 1.4, which isn't subjectto this vulnerability.
CREDIT
Discoveredby Jan K. Rutkowski.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
