Some fun with vintage bugs and driver signing enforcement

click here for tl;dr

Tablets with Windows, SecureBoot, TPM and Bitlocker are all fun and games, until you want to install some free utility (such as FreeOTFE). Long story short, you have to disable Bitlocker, or buy a higher than home edition of windows (to add -pw protector so you can turn off secure boot). Bummer.

There are of course other ways around this, unfortunately the vbox exploit is not very suitable for my baytrail tablet, enforced WHQL won't even allow the driver to load. However this being an old hat-trick, googling turned up an interesting approach of simply loading older, more buggy Microsoft drivers (=WHQL sig) on modern windows to exploit, and use that to bypass DSE.

We'll still keep using the same bug class, but try to find some more reliable target than mountmgr.sys, as dealing with trashed SYSTEM thread stack and SMEP is pretty annoying.

Using RtlQueryRegistryValues bugs as a convenient copy-what-where

Maybe we can do better - don't try to hijack IP control, but abuse RtlQueryRegistryValues to simply write 0 byte into CI.DLL!ci_Options, thus removing signed driver enforcement - all without running any shellcode.

Read more →
Last updated Thu, 04 August, 2016