Skip to content

Defeating Driver Singing Enforcement, Not That Much Hard!

November 4, 2012

These days everybody talks about Driver Signing Enforcement, and the ways we can bypass it. J00ru talked about the hard way, and I tell you about the easy and very long know way. What we need is just a Singed Vulnerable X64 Driver. As we know, loading drivers require administrator privilege, but these days a normal user with default UAC setting can silently achieve Admin privilege without popping up a UAC dialog.

The driver I was talking about is DCR from DriveCrypt. The X64 version is singed and is vulnerable to a write4 bug.

the latest version is not anymore vulnerable but this version still has a valid signature and that’s enough.

I think it’s obvious that you can make the whole process of escalating privilege from normal user to Admin for loading vulnerable drive ( silently with one of UAC bypass methods) and exploitation pragmatically automatic.

You can find vulnerable version of drive along the exploit at “DriveCrypt\x64\Release“.

From → Exploiting, Reversing

5 Comments
  1. wopot permalink

    i like your style.

    Reply
  2. mj0011 permalink

    That single vulnerable signed driver can be revoke to avoid your bypass method , The way I’ll show on POC2012 can exploit more than thousand of drivers on Windows x64 with only one patched vulnerability.

    Reply
    • Snake permalink

      well, pretty interesting! looking forward for reading the slides :)

      Reply
  3. mu-b permalink

    interesting, that bug was fixed along time ago since it was found in ~2010,

    http://www.digit-labs.org/files/exploits/drivecrypt-dcr.c

    That aside, looks like we both had the same tactic of printing the version number of the driver,

    0x%08X [%s], %s\n”, *(int *) &buf[8], &buf[12], &buf[19]);

    0x%08X [%s], %s”, *(int *) &DriverString[8], &DriverString[12], &DriverString[19]);

    Might want to dig a little deeper, its not going to be hard to catch Shaun (the SecurStar developer) out, especially when they do things like this,

    http://www.digit-labs.org/files/exploits/drivecrypt-fopen.c

    Reply
    • Snake permalink

      Yes, that’s because I used your exploit as base. But exploiting a stack overflow in x64 was kind of “waste of time” when I found a nice and easy write4 vulnerability inside the driver, you know I have to fix all the craps I changed by overflowing the stack… but not in this one, ;)

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

»
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: