Mr. BitternessJul 12, 2024

Excellent work from @GabrielLandau on how Windows can be tricked into loading drivers with untrusted signatures:
https://www.elastic.co/security-labs/false-file-immutability

Repeat after me:
"Windows admin to kernel is not a security boundary"
"Belief in BYOVD protection is fantasy"

MS seems to have mitigated the attack with May's updates for Windows 11, but at the same time they haven't assigned a CVE or have mitigated the issue for Windows Server because it's not a security boundary.

Some more details on this non-boundary:
https://vu.ls/blog/byovd-protection-is-a-lie/
https://vu.ls/blog/byovd-protection-is-a-lie-pt2/

Introducing a New Vulnerability Class: False File Immutability — Elastic Security Labs

This article introduces a previously-unnamed class of Windows vulnerability that demonstrates the dangers of assumption and describes some unintended security consequences.

Joe BialekNov 10, 2024
Show threadMr. Bitterness

@GabrielLandau
And while Microsoft has mitigated the ItsNotASecurityBoundary issue with May's updates for Windows 11, we can use WindowsDowndate, which also does not cross a security boundary, to roll back to an exploitable ci.dll. At which point we can exploit a fully-patched Windows 11 system with ItsNotASecurityBoundary to load arbitrary drivers with arbitrary (e.g. untrusted) signatures.

In other words, the "requirement" that modern Windows can only load signed drivers is merely a suggestion.

Again, please say these statements and understand why you should believe them:
"Windows admin to kernel is not a security boundary"
"Belief in BYOVD protection is fantasy"

Oct 31, 2024 at 6:42pmWeb