clrokr (@clrokr) – 6. Jan 2013
It’s taken longer than expected but it has finally happened: unsigned desktop applications run on Windows RT. Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible. MSFT’s artificial incompatibility does not work because Windows RT is not in any way reduced in functionality. It’s a clean port, and a good one. But deep in the kernel, in a hashed and signed data section protected by UEFI’s Secure Boot, lies a byte that represents the minimum signing level.
Finding the right spot
The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.
Finding this byte in the kernel takes a while, there is no exported symbol for it and not even in the symbol database at MSFT. I found it using WinDbg and a machine running Windows 8 Pro, creating processes and watching how the system behaves when the signature checks happen all the way through CI.dll and back. Because Windows 8 and Windows RT are so similar, locating it in the ARM kernel was not hard:
SeGetImageRequiredSigningLevel+0x18
LDR R3, =0x59FFA6 This is our byte, 0x19FFA6 at 0x400000 image base
LDRB R3, [R3]
CMP R3, #4
BHI loc_HighSigReq
B.W loc_LowSigReq
There are many more places where you can find this byte accessed, but none of them have an exported symbol.
Prerequisites
A while ago I read an article about how the Windows kernel assumes that data passed by certain processes is always well-formed [1]. This vulnerability exists in Windows RT, but exploitation is a bit harder than on Windows 8 because unsigned binaries can’t be run in the first place (and store apps don’t have the security context you need to attach to other processes). But Microsoft decided to provide something very important [2] that made this whole endeavour a lot easier. This remote debugger, when run as Administrator, can attach to the user’s CSRSS process and manipulate its memory.
CSRSS contains a lot of calls to the vulnerable NtUserSetInformationThread function, including some that use the right parameters to exploit it. This is one of them (from winsrv.dll):
TerminalServerRequestThread+0x230
MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
MOV R0, 0xFFFFFFFE
BL NtUserSetInformationThread
A CSRSS thread executes this code. Using a breakpoint, we can change the data structure pointed to by R2 before the NtUserSetInformationThread call happens to exploit the vulnerability. Sadly, this is very impractical because the exploit subtracts 1 from the specified address and we need to subtract 0×80000. This is because we can’t do an unaligned access on ARM (remember, our byte’s offset is 0x19FFA6), so we need to use 0x19FFA4.
We also need the linear address at which the kernel image resides. We can find this out by calling (on the device, this can be done from a store app which will run unsigned) NtQuerySystemInformation with information class 11. If you want to know how to use NtQuerySystemInformation from a store app, read [3]. This gives us a list of all loaded drivers and their image bases, effectively bypassing ASLR in this case (although this is not what ASLR is for, it is annoying in these situations).
Exploitation
Using the remote debugger and MSFT’s armasm, I used a half-empty code page in winsrv.dll (0×10800 from the image base) to store this small payload:
push {r5-r8}
mov r7, 0x80000
ldr r8, my_addr
loc_loop_begin:
movs r3, 0xC
add r2, sp, 0x68 ;0x58 org.
add r5, r2, 4
str r8, [r5]
movs r1, 9
mvn r0, 1
mov r12, 0x10E1
svc 1
subs r7, r7, 1
cmp r7, 0
bne loc_loop_begin
pop {r5-r8}
mov r0, r0
my_addr dcd 0x12345678 the kernel's base address + 0x18
We now set a breakpoint directly after the legitimate NtUserSetInformationThread call in TerminalServerRequestThread, pressing a volume button will trigger it. This is where it gets interesting.
Redirect the instruction pointer to the payload in memory and set a breakpoint at the mov r0, r0 instruction at the end. Press F5. Now set the instruction back to the first breakpoint and remove both. Press F5 again.
Congratulations, your Windows RT device is unlocked!
Conclusion
Windows RT is a clean port of Windows 8. They are the same thing and MSFT enforces Code Integrity to artificially separate these platforms. It does not stop pirates from modifying store apps (and their license checks) because store apps are the only things that can actually run unsigned. The fact that this method works on Windows 8 as well shows how similar the systems are. You can even enforce Code Integrity on Windows 8 to see what Windows RT feels like!
The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision. Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool. There are enough “consumption” tablets already.
Microsoft, please consider making code signing optional and thereby increasing the value of your Windows RT devices!
Drawbacks
- Sometimes this triggers a bugcheck because we can’t control the bytes at 0x19FFA4 and 0x19FFA5 from the kernel base and they sometimes are zero, causing a 0×18 bugcheck.
- This method is not practical for most users, especially because tablet buyers are less likely to know enough about computers to do this than PC users.
Sources
[1] j00ru//vx tech blog: Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops
[2] Visual Studio 2012 Remote Tools
[3] Using the complete Windows API in store apps (mamaich at XDA-Developers)
also for further reading
[*] Discussion about this on XDA-Developers
Changelog
6. Jan 2013: Added 0×18 offset in payload because it is very important and the article at [1] doesn’t mention it. Also added link to discussion on XDA-Developers for further reading.
The labels could include a photo of the day’s most entertaining tweets.
To be funny on the site, you’ve got to be sharp and practice economy of language.
But after an exhaustive research I found a more common idea about
the specifics. s discuss about GPS Forex Robot from Mark Larsen and how it may assist you.
Second, be certain to won’t need to often be a computer geek to implement the robot. Remember, forex online trading has different strategies reserved for veteran traders and those who have taken the plunge only recently. The trader really should discover this to keep concentrated.
This could be good if you put something more entertaining photos. You could be updating about a colleague getting a promotion.
Awsome site! I am loving it!! Will be back later to read some
more. I am bookmarking your feeds also.
It is actually a great and useful piece of information. I’m happy that you just shared this useful information with us. Please keep us up to date like this. Thanks for sharing.
This site was… how do I say it? Relevant!! Finally I have found something that helped me.
Kudos!
The most attractive part of the project is that it is available at affordable
price, which starts from 85,50,000 onwards. This
would be fine if society didn’t then present us with a list of qualities that we must have if we are to be considered “beautiful” – a list of unrealistic, ridiculous rules that eliminate about 95 percent of us from ever being part of that group. Developing a simple separate developing, designers in Pune are now providing principles like incorporated town-ships, green houses, smart or super-luxury houses.
It is perfect time to make some plans for the future and it’s time to be happy. I have read this post and if I could I wish to suggest you some interesting things or suggestions. Perhaps you can write next articles referring to this article. I want to read even more things about it!
Hello there, I found your website via Google whilst searching for a similar matter, your
site got here up, it seems great. I’ve bookmarked it in my google bookmarks.
Hi there, simply become aware of your blog via Google, and found that it’s really informative.
I am gonna be careful for brussels. I’ll be grateful in case you proceed this in future. Numerous folks might be benefited out of your writing. Cheers!
Some of these alarms have smoke detectors that notify you in case of a
fire and help you to prevent it. Another thing that gamers want is a wireless headset that can be used for
long periods of time without having to constantly be recharged.
Most of what you need is in Start ‘ Control Panel ‘ Network and Sharing
Center.
Definitely believe that which you stated. Your favorite reason appeared to be on the net the easiest thing to be aware of.
I say to you, I certainly get irked while people consider worries that they plainly do not know
about. You managed to hit the nail upon the
top and defined out the whole thing without having side-effects , people could take a signal.
Will likely be back to get more. Thanks
you’re in reality a good webmaster. The website loading pace is incredible. It sort of feels that you are doing any distinctive trick. Moreover, The contents are masterwork. you have performed a wonderful task in this subject!
Today, I went to the beach front with my kids. I found a sea shell and gave it
to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear
and screamed. There was a hermit crab inside
and it pinched her ear. She never wants to go back!
LoL I know this is entirely off topic but I had to tell someone!
Pingback: Internet Hustler Blog
Hulk would win for sure! Easily the superman movies show me DC’s view of your Superman . Superman 2 without his strength acquired defeat up just like a Lil bitch with the dinner. If that man experienced sups power superman would be calling him master. The final super man he was getting his as handed to him,I mean dragged by his hair perty considerably crying. That is not my hero maybe yours and his outfit screams I enjoy guys. These are a facts ,plus hulk is stronger and he is hometown earth.
They let you get free diamonds and coins without any jailbreak.
People send emails to friends, go shopping, download files, look at pornography,
play games, gamble and read classifieds and other adverts for a
better job, or an easy method of earning more money. However, you must be careful when using such codes.