Windows RT - Minimum Signing Level (Kernel Exploit)

Discussion in 'Security' started by Ace, Jan 14, 2013.

  1. Ace

    Ace

    Joined:
    Sep 13, 2011
    Messages:
    76
    Likes Received:
    13
    Location:
    Canada
    If you have an RT device like me (Surface with Windows RT for instance) you'll know that Microsoft has disabled you from downloading and running your own programs. The only programs that are available to you to run on the desktop environemnt/workspace, are a few accessories, including a very minimal Office package. While the reason for why MSFT did this is still not made 100% clear, I have been given a few reasons by others in addition to my own beliefs for why this is so.

    After further investigation myself I've found out that several other files even provided to you by factory defaults are rendered useless with this new limitation, which seems very strange. "write.exe" for example, does not work, along with many other programs. So what i've actually done is just removed what I know I could remove, to free up some space on the device (even though I have the 64GB version), as it doesn't make sense to keep them if I can't run them. For how strange it is though, it almost seems as if Microsoft made this a temporary thing, and perhaps a future update will allow users to run their own applications.

    Even though I don't know why I have the desktop at all on my RT device because it's a Surface; a tablet based device. Using the desktop on a screen this size isn't exactly very user friendly. I was provided with reasons for why Microsoft had kept this, including the argument that if Microsoft removed it, it could've possibly meant a lot more time under development until they would've been able to release the Surface with Windows RT, because removing the desktop environment might have caused a whole rewrite of a majority of code.

    If that's the case, then it's no surprise Microsoft basically ported over 60-70% of the original Windows OS over to Windows RT. I'm still hoping that Microsoft decides to take it completely out of Windows RT regardless, and have it for their Windows 8 version that they are coming out with for the Surface only...

    A hacker, credited by Microsoft for writing a report on bypassing this "feature" and enabling users to run their own programs on Windows RT, used a known exploit in the Windows OS though, because of the fact that Windows had been ported almost "as-is" over to Windows RT for the most part. What this means is that the same exploit still exists in regular Windows 8 and Windows 8 Pro. Microsoft didn't believe this was a security issue though, and I'm not sure if that was a direct word to RT based devices or Windows as an OS in itself, but my view on it would say that it's a huge issue on regular Windows, but with Windows RT that requires a certain signing level (8 to be specific) in the kernel, and the fact that Windows Store apps don't really run under a high enough security context to do much damage, I would say it's not really an issue at this point for RT.

    I was curious about this though, and it is confirmed that this "exploit" does exist on Windows RT. I have been able to run my own .NET program on my Surface in the desktop (my Surface had up to .NET 4.0 already pre-installed I believe). The only thing that stops the modifications to the kernel from being useful is Secure boot (UEFI), however, the exploit for bypassing the driver signing enforcement and patchguard all together which i've posted here: https://www.win8forums.com/threads/insecure-uefi-boot.742/ -- Could in fact make this a more permanent "mod" if you didn't feel like having to re-install the programs every boot because the Kernel would default, setting one byte value indicating the minimum driver signing level back to 8 (meaning Microsoft signing level), from 0, which is what we need it set to in order to run our own "Unsigned" applications. Otherwise, this value can otherwise be changed in memory if you can't modify it permanently in the kernel because UEFI boot prevents it, and you don't have a way to bypass PatchGuard.

    More information here: http://surfsec.wordpress.com/2013/01/06/circumventing-windows-rts-code-integrity-mechanism/

    I had looked for a way to achieve this myself and I had a few ideas, but this was already posted by then. If I found a way though I was encouraged to post about it, and document it like this guy did.
     
    Ace, Jan 14, 2013
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.