home

forums
    Show me new threads!

bookmarks

post article

view blogs

vault

downloads

Rootkit Collection

Exploiting : message board

post a message Show all posts in this forum view options: unpacked threads | collapsed threads | old style view

how many threads to display: 15305075100300800 search board (text+titles):

Posted by alexroot (Normal user) [ip info hidden] - Jan 11 2008, 07:11 (UTC+0)

MojoPac: Illusions of a virtual machine

INTRO ===== MojoPac is described by mojopac.com as "The ultimate secure virtual workspace". Reuters recently released a news article specifically about MojoPac entitled "Virtual PCs add new layer of security". Thinking it was similar to VMWare I downloaded it (its only 15mb) but after a quick analysis it became obvious that SECURE isn't a word that should be used with MojoPac! I quickly realised this was two programs in one ... a simple desktop switcher combined with a rootkit-style kernel driver. I did a few google searches for MojoPac vulnerabilities but found none, I think its a fairly new program so not many people have analysed it yet. Here are some of my findings ... WHAT VIRTUALIZATION IS ALL ABOUT: ISOLATION =========================================== Industry-leading virtual machine programs such as VMWare and Virtual PC effectively allow you to run multiple operating systems at the same time on the one computer. They, in theory at least, completely isolate the virtual 'guest' machine from the 'host' machine, so for example if you create a file on the virtual machine you will not be able to see or access that file from the host machine, and vice versa. Even hardware devices are emulated. MojoPac takes a different approach. Instead of creating a virtual machine it simply creates a new desktop (called "Rng3dsk"), allowing the user to switch between the default desktop and the MojoPac desktop. Windows created on one desktop are not visible or accessible to other desktops, so functions like EnumWindows() will return different results depending on which desktop currently has focus. However, that only provides window-level isolation. To provide some level of system isolation in regards to processes, files, registry items etc, MojoPac hooks several functions in the System Service Table with its driver, in very much the same way that rootkits do. This allows it to filter and modify certain results so as to make it APPEAR that each desktop is isolated. For example if you try to enumerate the processes on the default host desktop then it will filter the results so that it doesn't show any processes that are running on the MojoPac desktop, and vice versa. WHAT MOJOPAC IS ABOUT: ILLUSION! ================================ So MojoPac is only giving the ILLUSION of isolation by performing rootkit-style filtering of functions; there is no actual isolation itself as is the case with virtual machines. For example if you run netstat from the Command Prompt you will get the exact same results regardless of which desktop you're looking at, whereas this is not the case with virtual machines like VMWare and Virtual PC which emulate their own network devices. To achieve this illusion of isolation the following functions are hooked in the System Service Table by the MojoPac driver (pvm.sys): 0x0019 - NtClose 0x001F - NtConnectPort 0x0022 - NtCreateDirectoryObject 0x0023 - NtCreateEvent 0x0024 - NtCreateEventPair 0x0025 - NtCreateFile 0x0026 - NtCreateIoCompletion 0x0029 - NtCreateKey 0x002A - NtCreateMailslotFile 0x002B - NtCreateMutant 0x002C - NtCreateNamedPipeFile 0x002E - NtCreatePort 0x002F - NtCreateProcess 0x0030 - NtCreateProcessEx 0x0032 - NtCreateSection 0x0033 - NtCreateSemaphore 0x0034 - NtCreateSymbolicLinkObject 0x0036 - NtCreateTimer 0x0038 - NtCreateWaitablePort 0x003E - NtDeleteFile 0x0042 - NtDeviceIoControlFile 0x0049 - NtEnumerateValueKey 0x0054 - NtFsControlFile 0x0057 - NtGetPlugPlayEvent 0x0061 - NtLoadDriver 0x0071 - NtOpenDirectoryObject 0x0072 - NtOpenEvent 0x0073 - NtOpenEventPair 0x0074 - NtOpenFile 0x0075 - NtOpenIoCompletion 0x0077 - NtOpenKey 0x0078 - NtOpenMutant 0x007A - NtOpenProcess 0x007D - NtOpenSection 0x007E - NtOpenSemaphore 0x007F - NtOpenSymbolicLinkObject 0x0083 - NtOpenTimer 0x0084 - NtPlugPlayControl 0x008B - NtQueryAttributesFile 0x0091 - NtQueryDirectoryFile 0x0095 - NtQueryFullAttributesFile 0x0097 - NtQueryInformationFile 0x00A0 - NtQueryKey 0x00AD - NtQuerySystemInformation 0x00B1 - NtQueryValueKey 0x00B3 - NtQueryVolumeInformationFile 0x00D2 - NtSecureConnectPort 0x00E0 - NtSetInformationFile 0x00F7 - NtSetValueKey 0x00F9 - NtShutdownSystem 0x0112 - NtWriteFile 0x122E - SwitchDesktop As you can see it's not a very complete list, there are many important system functions that aren't hooked. Defeating MojoPac is simply a matter of unhooking the functions, and at that point MojoPac becomes nothing more than a simple desktop switcher. As these are kernel-level hooks they require a kernel driver to unhook them, but this isn't overly complicated; many anti-rootkit programs already have such capabilities. However, because MojoPac hooks functions to achieve the illusion of isolation without actually doing any real isolation it remains vulnerable in many other ways, including many user-mode exploits - no kernel-mode driver required. DETECTING HIDDEN PROCESSES ========================== MojoPac tries to filter the results of both EnumProcesses and the Toolhelp enumeration functions so as to hide the MojoPac desktop processes from the processes in the default desktop, but there are still other ways to detect those processes. One is NtQuerySystemInformation. MojoPac does hook this function, but perhaps a design overlook is why it still works. Another way is to call OpenProcess on every possible PID (in increments of 4 obviously). Yes that's right ... whether you're in the MojoPac desktop or the default desktop you can call OpenProcess on any process, and consequently do whatever else you want to them, including reading/writing their process memory, and terminating them, regardless of which desktop you're on. Another thing of interest is that there is ONE process that is visible to both the MojoPac and default desktops called RingThreeMainWin32.exe, complete with the same process ID - it is the same process. FILE/DRIVE PROTECTION ===================== From the MojoPac desktop you can still see all of the systems drives (GetLogicalDrives/GetDriveType functions still work) but you can't access them, assumingly because of the NtFsControlFile and NtCreateFile hooks. I haven't tried to find a bypass for that yet, but one point of interest is that the Windows operating system directory is available to both desktops, so while MojoPac tries to prevent you from seeing all the other files on the computer it does allow you to do anything you like in the Windows folder, including creating, modifying and deleting files, and the changes affect the host computer as well as in MojoPac. THE PASSWORD ============ To log into the MojoPac desktop the user is required to enter a password. Various settings including the password are all stored in encrypted files, but MojoPac is vulnerable to a simple attack: read the decrypted password from its process memory. This attack works because when you run MojoPac it decrypts the files in memory, including the password which can then be read. In my case it was always located at 00C84B08 as a null-terminated string. I would recommend to the MojoPac authors that they only store a hash of the password rather than the password itself. I hope you found this article informative and useful

reply to this message

Posted by rjacksix (Normal user) [ip info hidden] - May 20 2008, 04:39 (UTC+0) Re: MojoPac: Illusions of a virtual machine Thanks for this. It seems that there will be more and more reliance on virtualization as a means of security. Of course if the virtual system is built upon an insecure system to start with it becomes a pointless exercise. So what is the possibility (in your estimation) of being able to hook the hooks? Is there an ability to install drivers in the MojoPac environment? Inquiring minds would like to know. BTW: Nice catch on the decrypt of the PW in memory..hehe. Sounds VERY secure. reply to this message   Posted by Hojo (Normal user) [ip info hidden] - Mar 02 2008, 01:34 (UTC+0) Re: MojoPac: Illusions of a virtual machine Fantasitc article mate. What a joke of a 'Virtual Machine' Some people really just don't understand the idea. Clearly the makers thaught they were doing something secure and innovative but really this is just shocking and clearly they lack knowledge of the lower level system to be able to make such a tool. And storing the password in plaintext makes me cringe, urgh. Nice writing man, Ill be sure to steer clear! reply to this message       Posted by pingerbcn (Untrusted stranger) [ip info hidden] - Aug 03 2008, 18:59 (UTC+0) Re: MojoPac: Illusions of a virtual machine This is my first post ever here and my english skills are not really good, so don't be evil ;) Very intersting read, thanks for posting. But i have some questions about this. What do you think is the most secure virtual machine program? What do you think of Virtual Box? And from VMWare server? What VM Do you recommend? I use this two, VBox and VMWare, and i just started playing with rootkits and learning how it works, but i don't want to be infected while testing it so help is apreciated. Thanks for all and thanks for the lecture. Greetings Pinger reply to this message       Posted by gnostus (Untrusted stranger) [ip info hidden] - Aug 06 2009, 23:42 (UTC+0) Re: MojoPac: Illusions of a virtual machine Vbox is my favorite, and the simplest to set-up, and best of all free. I do not have an immense knowledge of virtualization, but this definitely sparked interest and I can see how this will become a defacto standard for mediocre security in the future. thanks for the read reply to this message