lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040918033346.23736.qmail@www.securityfocus.com>
Date: 18 Sep 2004 03:33:46 -0000
From: kers0r <root@...lum-nz.com>
To: bugtraq@...urityfocus.com
Subject: Virus exploits workaround in Windows Mobile/Pocket PC
    architecture (Includes Source Code)




Airscanner Mobile Security Advisory

*Title*

Virus exploits workaround in Windows Mobile/Pocket PC architecture (Includes Source Code)

*Introduction*

Airscanner Corp. has obtained and published the complete, annotated source code to CE.Dust, the first virus to infect the Windows Mobile/Pocket PC platform.

*Background*

Virus authors have been trying to infect Windows CE for several years. However, CE.Dust had to overcome unique technological barriers in order to infect this platform. By publishing the source code, Airscanner Corp. hopes to help security researchers and programmers develop appropriate countermeasures.

Airscanner Corp. received the CE.Dust virus from its author at the exact same time as all other major antivirus companies. However, because Airscanner Corp. specializes exclusively in  software reverse engineering for ARM-based processors, we were fortunate enough to be the first antivirus company to analyze the virus and post a fix on July 16, 2004:
http://www.airscanner.com/pr/dust0715.html

*Source Code*

Following our initial publication, we wrote to the virus author and asked him to explain how he managed to be the first to infect this virgin OS. He was kind enough to explain his results in great detail. We have published his source code, along with annotation and our background material, at the following link:

http://www.informit.com/articles/article.asp?p=337071

*Vulnerability*

The virus exploits a unique workaround in the Windows CE.NET security architecture. Windows CE was designed with a protected kernel. User-mode applications are not permitted to interact directly with the kernel. This was designed to enhance the security and stability of Windows CE.

However, the "coredll module" resides deep within the kernel. This is the key module that controls all of the core system processes -- as well as all of the necessary ingredients for sucessful virus infection.

The CE.Dust virus exploited a clever workaround of the operating system architecture in order to gain access to the coredll module. Specifically, in Windows CE.Net, Microsoft has left the function "kdatastruct" acessible to usermode. This provided the key to the entrypoint of the virus. Full details of this vulnerability are provided in the annotated comments of source code listed in the article above.

*Contact*

Airscanner Corp.
http://airscanner.com/
contact@...scanner.com

Contributors:

Cyrus Peikari
Seth Fogie
Ratter/29A
Jonathan Read


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ