Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Virus exploits workaround in Windows Mobile/Pocket PC architecture (I

from [kers0r] Network Security [Permanent Link]
Subject: Virus exploits workaround in Windows Mobile/Pocket PC architecture (Includes Source Code)
Date: 18 Sep 2004 03:33:46 -0000 


Airscanner Mobile Security Advisory

*Title*

Virus exploits workaround in Windows Mobile/Pocket PC architecture (Includes 
Source Code)

*Introduction*

Airscanner Corp. has obtained and published the complete, annotated source code 
to CE.Dust, the first virus to infect the Windows Mobile/Pocket PC platform.

*Background*

Virus authors have been trying to infect Windows CE for several years. However, 
CE.Dust had to overcome unique technological barriers in order to infect this 
platform. By publishing the source code, Airscanner Corp. hopes to help 
security researchers and programmers develop appropriate countermeasures.

Airscanner Corp. received the CE.Dust virus from its author at the exact same 
time as all other major antivirus companies. However, because Airscanner Corp. 
specializes exclusively in  software reverse engineering for ARM-based 
processors, we were fortunate enough to be the first antivirus company to 
analyze the virus and post a fix on July 16, 2004:
http://www.airscanner.com/pr/dust0715.html

*Source Code*

Following our initial publication, we wrote to the virus author and asked him 
to explain how he managed to be the first to infect this virgin OS. He was kind 
enough to explain his results in great detail. We have published his source 
code, along with annotation and our background material, at the following link:

http://www.informit.com/articles/article.asp?p=337071

*Vulnerability*

The virus exploits a unique workaround in the Windows CE.NET security 
architecture. Windows CE was designed with a protected kernel. User-mode 
applications are not permitted to interact directly with the kernel. This was 
designed to enhance the security and stability of Windows CE.

However, the "coredll module" resides deep within the kernel. This is the key 
module that controls all of the core system processes -- as well as all of the 
necessary ingredients for sucessful virus infection.

The CE.Dust virus exploited a clever workaround of the operating system 
architecture in order to gain access to the coredll module. Specifically, in 
Windows CE.Net, Microsoft has left the function "kdatastruct" acessible to 
usermode. This provided the key to the entrypoint of the virus. Full details of 
this vulnerability are provided in the annotated comments of source code listed 
in the article above.

*Contact*

Airscanner Corp.
http://airscanner.com/
contact@airscanner.com

Contributors:

Cyrus Peikari
Seth Fogie
Ratter/29A
Jonathan Read
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Virus exploits workaround in Windows Mobile/Pocket PC architecture (Includes Source Code), kers0r <=
Previous by Date:  Sudo Exploit by Rosiello Security, Angelo Rosiello
Next by Date:  [Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection, Rafel Ivgi, The-Insider
Previous by Thread:  Sudo Exploit by Rosiello Security, Angelo Rosiello
Next by Thread:  [Full-Disclosure] Debian netkit telnetd vulnerability, Michal Zalewski
Indexes:  [Date] [Thread] [Top] [All Lists]