On Tue, 15 Jul 2008, Linus Torvalds wrote:

> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's
> the "look at the source" approach.
Btw, and you may not like this, since you are so focused on security, one
reason I refuse to bother with the whole security circus is that I think
it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because
there's a lot more of them. I don't think some spectacular security hole
should be glorified or cared about as being any more "special" than a
random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can’t
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.

To me, security is important. But it’s no less important than everything
*else* that is also important!

			Linus

The main difference between ManTech tool and win32dd, is that win32dd is mainly a kernel mode application — then it avoids to use user-land API to write to an output file, everything is done with native functions. Thus, it means a faster dumping… This point isn’t negligible when you have one million page to dump in one single.

In ManTech tool, the driver is only used to get \Device\PhysicalMemory handle.

Download win32dd v1.0.20080615 now!

EDIT: (16th June), New version, fixed bug.

PS: You can read further information about PhysicalMemory restriction access on the Microsoft MSDN here.

Some months later, an alpha version formally called 1.0.080226, of Sandman Framework has been released as an open source project. — you can find the current version here. Please consider, as Volatility Team has kindly reminded SandMan is a GPL3 project then don’t imitate Vendor “X” which don’t even waited a final version of SandMan to violate the GPL and then implemented a bugged version into his commercial products :).

Furthermore, in March Cedric presented and commented the SandMan proof of concept video during lightning talks at CanSecWest 2008 in Vancouver.

Anyway, at the upcoming Black Hat Vegas 2008, I’m going to give a talk entitled “Windows hibernation file for fun and profit“. This talk aims to discuss about both forensics and offensics uses through the hibernation file (hiberfil.sys) with SandMan.

For your information, Alex is also giving a talk at BH called “Of Pointers and Handles A Story of Unchecked Assumptions in the Windows Kernel”.

You can take a look at the full schedule here.

Microsoft Advanced Windows Debugging Team published their third puzzler: Matrix Edition #3 . It looks they’ll publish one puzzler per week. As far I understand, the goal of this puzzler is to translate a function from Assembly to C.

Here is my solution:

1. void myfun(char *string)
2. {
3. int lenString, countLoop, index;
4. char savedByte;
5. lenString = strlen(string);
6.      for (countLoop = lenString; countLoop; countLoop–)
7.      {
8.          for(index = 0; index < (countLoop - 1); index++)
9.          {
10.              if (string[index] > string[index + 1])
11.              {
12.                  savedByte = string[index];
13.                  string[index] = string[index + 1];
14.                  string[index + 1] = savedByte;
15.              }
16.          }
17.      }
18. }

8.00 PM (yeah it’s late)
I had almost 7 hours of time travel in Train from Paris to Goettigen. It was really exhausting but it was a good opportunity to talk with pretty girls visiting Europa :)

This year, SambaXP conference hold in Freizeit Hotel (Free time in English) in Goettingen (Germany) from 14th to 18th April.
During the dinner, I met Samba Team, OpenChange Team and sponsors people.

I had a really interesting discussion with the folks of Samba about Protocol Freedom Information Foundation (PFIF).

My main question was : What’s the difference between semi-private documentation provided by PFIF since December 2007 and public documentation provided by MSDN since March?
Technically, the content is the same. But if you look the law part PFIF grants extra patents protections.
For instance, if someone uses PFIF docs then Microsoft has a limited number of patents they can assert against the developer but if he uses MSDN docs then he doesn’t have patent protection.

I strongly recommend you to read links I posted above. That’s really an impressive work they did since 1992.

Weather in Germany is cold! I even wonder if it’s colder than North France one.

During the dinner, I had the occasion to meet Tom Hanrahan from Port 25 (MSFT) who works as Director of Linux Interoperability.

I’d like to share an interesting reference from Dan to a speech of Eben Moglen about “The Global Software Industry in Transformation: After GPLv3″. (Audio, Txt).

Andrew Tridgell (Samba Team), Samba and the PFIF renamed Samba and Microsoft to focus on new relationship between Samba and Microsoft engineers.

Andrew gave a quick review of the relationship with Microsoft timeline from early 90’s to now including the antitrust action in Europe during (99 - 07), WSPP/PFIF agreement (late 2007) to actual open cooperation publicly release of documentation MSDN (MSFT interoperability initiative).

PFIF (Protocol Freedom information foundation) has been introduced. For people who never heard about PFIF, it’s a legal entity that allows free software projects to take advantage of the WSPP protocol program. It makes protocol documentation available under a NDA but compatible with GPL. With an additional guarantees provided for at least 5 years of updates and corrections. Andrew also talked about the recent errors discovered in the documentation and the fact that Microsoft is now close to developers to fix it.

As you probably know, WSPP and MCPP documents are now public under a liberal license. It means Samba can now build an open community for cooperation on protocol knowledge. All previous secret on WSPP/PFIF is finished because the documentation is now available to everyone. PFIF also provides some additional guarantees on documentation updates and corrections.

As Andrew said, it means a good technical cooperation because lawyers are now sidelined and engineers have taken over. He also mentioned there is now a public forum for protocol discussion where PFIF members and MS Engineers can talk.

Tridge also highlighted two notable events for 2008:

Samba’ll be participing file system plugfest at Microsoft in June.

Microsoft will actively participate in the CIFS plugfest in August.

Julien Kerihuel (OpenChange): When OpenChange assimilates the Borg
OpenChange is 5 years old project build over Samba 4 infrastructure, two members of Openchange belong to Samba Team. Julien mostly talks about the libmapi client implementation This library provides an interface for NSPI & EMSMDB protocol.

*Party!*

This day is composed of three simultaneous room for three simultaneous talks.

There is a presentation I really appreciated, entitled Samba Encryption by Jeremy Allison (Google & Samba Team). The talk was about SMB protocol internal and some programming stuff.

It means numerous hundreds(thousands?) of functions/algorithms documentation and pseudo-code. But, are these pseudo-function right? It looks not.

While I was reading [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol Specification, I was a bit curious to see the DecompressWin2k3() function (Thanks Aaron, Stefan , and Brendan).

This function is in fact the decompression algorithm called Xpress implemented for the first time in Windows XP and not Windows 2003 as say the name. Xpress algorithm works on 64kb chunks and is used in Windows hibernation file format, Windows Imaging Format (WIM) , Outlook, Exchange, and… LDAP replication service of Active Directory.

I’m quoting below, errors I found in the pseudo-code of DecompressWin2k3(). Here is the C implementation.

while (outputIndex < = outputSize) 
should be:
while (outputIndex < outputSize) 
    if (indicatorBit = 0) then
        indicatorBit := copy inputBuffer[inputIndex] as 32-bit integer in
        little-endian format 
        should be:
        indicator := copy inputBuffer[inputIndex] as 32-bit integer in
        little-endian format 
        inputIndex := inputIndex + 4
        indicatorBit := 32
    endif 

    indicatorBit := indicatorBit - 1 

//* check whether the bit specified by indicatorBit is set or not
//* set in indicator. For example, if indicatorBit has value 4
//* check whether the 4th bit of the value in indicator is set  

    if indicatorBit bit in indicator is not set then
        inputBuffer[inputIndex] := outputBuffer[outputIndex]
        should be:
        outputBuffer[outputIndex] := inputBuffer[inputIndex] 
        inputIndex := inputIndex + 1
        outputIndex := outputIndex + 1
    else
        length := copy inputBuffer[inputIndex] as 16-bit integer in
        little-endian format
        inputIndex := inputIndex + 2
        offset := length /8
        length := length mod 8 

        if (length = 7) then 

            if (nibbleIndex = 0) then
                nibbleIndex := inputIndex
                length := inputBuffer[inputIndex] mod 16
                inputIndex := inputIndex + 1
            else
                length := inputBuffer[inputIndex] / 16 
                should be:
                length := inputBuffer[nibbleIndex ] / 16 
                nibbleIndex := 0
            endif 

            if (length = 15) then 

                length := inputBuffer[inputIndex]
                inputIndex := inputIndex + 1 

                    if (length = 255) then
                        length := copy inputBuffer[inputIndex] as 16-bit integer in little-endian format
                        inputIndex := inputIndex + 2
                        length := length - (15 + 7)
                    endif
                length := length + 15
            endif 

            length := length + 7 

        endif 

    length := length + 3 

        while (not length = 0) 
        should be:
        while (length != 0) 
            outputBuffer[outputIndex] := outputBuffer[outputIndex - offset - 1]
            outputIndex := outputIndex + 1
            length := length - 1
        endwhile
    endif 

endwhile 

return 

Posted on Friday, Mar 28, 2008 - 1:05:
* Ability to decompress Windows XP 32-bit hiberfil.sys files, whether
active or inactive, to get a dump of physical memory with all in-use
pages from a previous point of time when the computer entered into
hibernation, as well as individually carved xpress chunks from
hiberfil.sys files, including xpress chunks located in the “slack” of
hiberfil.sys that are even older. This feature is available in Edit |
Convert. (forensic license only)

(PS: I’m not beta-tester)
Source.

In November 2007 at PacSec'07, Tokyo, Japan, Nicolas Ruff and I (Matthieu Suiche) presented how to create a readable physical memory dump from the undocumented Microsoft hibernation file.

Last month, I published an open-source public version of this project called SandMan Framework. This framework allows manipulating the hibernation file for offensics (malicious) or forensics uses.

Today, I am going to release a Proof of Concept of the sandman attack using SandMan Framework. This PoC consists in elevating a user CMD shell to SYSTEM level under Windows XP SP3 RC1.

Sandman Framework offers a wide range of possibilities, both offensive and defensive. Like cryptographic keys retrieving in popular encryption software (e.g. TrueCrypt, GPG), privilege
escalation (cf. PoC), login without any password, and so on.

All Windows versions are concerned, from Windows 2000 up to Windows 2008, Windows Vista SP1 included (and possibly Windows Seven).

The following video shows how the system can be subverted in a few minutes. The following points are highlighted:

* Deactivating hibernation feature does not solve the problem.
* The sandman attack affects every Windows version, from Windows 2000 to Windows 2008, 32- and 64-bit alike.
* We can read and write everything everywhere in the physical memory (RAM).
* This attack is feasible in real life on every computer with no hardware requirements.
* The attack has no time limitation. If a computer has been hibernated one
week ago, extracting his physical memory is still possible.

This is far more powerful than other recently demonstrated attacks against physical memory, like Cold Boot and FireWire attacks.

“keep you free from sin, till the sandman he comes”
(Enter SandMan — Metallica)