Monthly Archives: March 2008

New attack released – Windows has been vulnerable for 8 years.

In November 2007 at PacSec'07, Tokyo, Japan, Nicolas Ruff and I (Matthieu Suiche) presented how to create a readable physical memory dump from the undocumented Microsoft hibernation file.

Last month, I published an open-source public version of this project called SandMan Framework. This framework allows manipulating the hibernation file for offensics (malicious) or forensics uses.

Today, I am going to release a Proof of Concept of the sandman attack using SandMan Framework. This PoC consists in elevating a user CMD shell to SYSTEM level under Windows XP SP3 RC1.

Sandman Framework offers a wide range of possibilities, both offensive and defensive. Like cryptographic keys retrieving in popular encryption software (e.g. TrueCrypt, GPG), privilege
escalation (cf. PoC), login without any password, and so on

All Windows versions are concerned, from Windows 2000 up to Windows 2008, Windows Vista SP1 included (and possibly Windows Seven).

The following video shows how the system can be subverted in a few minutes. The following points are highlighted:

* Deactivating hibernation feature does not solve the problem.
* The sandman attack affects every Windows version, from Windows 2000 to Windows 2008, 32- and 64-bit alike.
* We can read and write everything everywhere in the physical memory (RAM).
* This attack is feasible in real life on every computer with no hardware requirements.
* The attack has no time limitation. If a computer has been hibernated one
week ago, extracting his physical memory is still possible.

This is far more powerful than other recently demonstrated attacks against physical memory, like Cold Boot and FireWire attacks.

“keep you free from sin, till the sandman he comes”
(Enter SandMan — Metallica)

Physical memory access is fashion…

These last weeks several proof of concept were published about physical memory access.

The first one (21 February 2008) was from Princeton university who published a very buzzed proof of concept in video.. This one allows to read the physical memory in a limited time.

The second one was SandMan which is hosted by myself. This one was released 4 days later by the University of Princeton proof of concept and give read/write access to physical memory though the hibernation file.

And few hours ago, a security researcher called Adam Boileau released a tool called Winlockpwn. This last one use firewire port to get read/write access to physical memory.

There is only 2 weeks between the Princeton’s release and Adam’s one. Live forensics looks to be very fashionable…