is this a kind of virtualization software ?

[extremecoder]

http://www.piotrbania.com/all/kon-boot/

the site says:

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

I believe this is kind of virtualization software, loads the kernel image and modifies the part in mem ... am I right ?

[Brendan]

Hi,

I believe this is kind of virtualization software, loads the kernel image and modifies the part in mem ... am I right ?

No. It doesn't virtualize or emulate anything. Instead it modifies a kernel during boot to trash security.

I'd also point out that this is exactly the sort of crap that TPM is designed to protect OS's against..


Cheers,

Brendan

[NickJohnson]

Although from a security standpoint, the user of this software already has access to the machine anyway, so the machine is already effectively compromised. I also highly doubt it would work well against kernels that are compiled with different configurations and optimizations.

However, maybe a program like the one extreme thought it was could be useful. You could have a small piece of bare metal code that works like a VM and runs the OS beneath it - trapping privileged instructions and protecting the real hardware. You could configure it to stop the virtual OS from using specific interrupts/ports/features etc. That way, you could do testing of others' OS projects with no worries about wiping your hard drives and such. But unlike Bochs or Qemu, things would run just like they would on the bare hardware and nearly as fast as on the bare hardware.

[ru2aqare]

However, maybe a program like the one extreme thought it was could be useful. You could have a small piece of bare metal code that works like a VM and runs the OS beneath it - trapping privileged instructions and protecting the real hardware. You could configure it to stop the virtual OS from using specific interrupts/ports/features etc. That way, you could do testing of others' OS projects with no worries about wiping your hard drives and such. But unlike Bochs or Qemu, things would run just like they would on the bare hardware and nearly as fast as on the bare hardware.

Wait.... isn't this VMware? Apart from the "small piece of bare metal code".

[Combuster]

There's that difference between changing a program and trapping out of a program to control its behaviour.

The one is called patching, the other virtualisation. The difference is that one needs to actively alter all pieces of code, while the other waits for the signal that something went on. Which is exactly why the first does not work for trapping an OS inside another.

[NickJohnson]

I wasn't talking about what the design of kon-boot is, but instead what I interpreted extreme to have interpreted it as. You could make a low level VM without any code modification - just some privileged instruction trapping. Edit: My idea only has to do indirectly with kon-boot. The real idea is to have a simple VM that protects test machines by trapping port accesses and such.

But the whole point is that it doesn't run under another OS - it would provide direct access to memory and devices (selectively) so it would be essentially the same as running on the real machine. Nothing would be emulated, things would only be blocked. You could also use it to test *actual* device drivers instead of those for devices that only exist in VMs, without worrying that you chose the wrong port and blew out your speakers or something. Not to mention the speed difference...

[Brendan]

Hi,

Although from a security standpoint, the user of this software already has access to the machine anyway, so the machine is already effectively compromised. I also highly doubt it would work well against kernels that are compiled with different configurations and optimizations.

While that's a fairly common way of looking at things, I personally think that the industry can do better, and that the industry should do better (especially for mobile devices like laptops).

For an example, imagine if someone steals your laptop, then clears the CMOS to bypass the BIOS setup password, then boots your OS with something like Kon-Boot (or even just re-installs the OS). Now they've got your data; which could include things like your banking details, embarrassing pictures of yourself that you didn't want on the internet, etc. I know my computer has enough personal information on it to allow a fairly thorough identity theft, including account details and passwords for things like paypal...

Note: I know it's a bad idea to store passwords, etc; but a "secure" password is almost impossible to remember and therefore has to be written down somewhere (which makes me wonder if an insecure password that can be remembered would be more secure) .

Then there's businesses - things like trade secrets, client lists, etc. For an example, I know someone who sometimes has one of the laptops from his work, which includes confidential information for lots of people who receive government benefits. If this laptop got stolen it'd be a major privacy breach, and the company he works for could/would lose government contracts worth lots of $$$ (and they'd need to close down, because government contracts are the company's only income). In this particular case the data needs to be on a laptop because he travels (e.g. it can't be physically bolted down in a locked room that's protected by an alarm system).


Cheers,

Brendan

[extremecoder]

not only that ... think about some critical servers, where there will be multiple sys admins and one root admin ... the sys admin guy (app admin, db admin; etc) since doesn't have any access to root but still wants to do some nasty things, can use this tool and install a rootkit or a backdoor ... there are much more avenues if your thinking is more creative

i am working on pen testing and i know how useful this is ... but i never thought an idea like kon-boot

[Troy Martin]

Note: I know it's a bad idea to store passwords, etc; but a "secure" password is almost impossible to remember and therefore has to be written down somewhere (which makes me wonder if an insecure password that can be remembered would be more secure) .

Depends on how easy it is to guess the password vs. finding where it's stored, I guess.

[earlz]

Some OSs have thought of ways to prevent this. Openbsd for example supports encrypting /home

Also, I'm curious as to how exactly this works.. do you just load the NT kernel and change a bit of code in memory and poof no passwords?

[Combuster]

pretty much

how easy do you think it is to disable password checking?:

Code: Select all

je password_ok          ; 71 xx

Code: Select all

jmp short password_ok   ; eb xx

consider how much one "fixed" byte can do for you


@Brendan: how secure is any password at all with all the social engineering folks around?

[Troy Martin]

We're evil geniuses. One byte and "poof!" all security is gone.

[xDDunce]

sounds to me like we have a software cracker in our midst...

[Troy Martin]

Oh hell, we have many "security experts" here. Or, at least, that's what the FBI thinks

[earlz]

Well what I mean is how do you know that 0x47832DA is the address for password_ok.. for linux kernels this would be easy, but for the closed source-no symbols NT kernel it seems that it would take quite a bit of time with a debugger and hex editor to figure out exactly what byte to change..