Well i got this from some other forum, i didint read it completly but i thought you guys might find it intertesting
Quote:
Source of security hole:
INCA nProtect Gameguard
Methods of propagation:
http://eng.nprotect.com/partner.htm
Vulnerable Operating Systems:
Windows 2000
Windows XP
Windows 2003
Non-Vulnerable Operating Systems:
Windows 9x
Vulnerability:
nProtect Gameguard is an application bundled with multiplayer games which
hides the game application process, monitors the entire memory range,
terminates applications defined by the game vendor and INCA to be cheats,
blocks certain calls to DirectX functions, and auto-updates itself.
To achieve some of these ends the program uses a kernel driver by the name
of nppt9x.vxd (Windows9x) and npptnt2.sys (Windows NT).
Due to the nature of Windows 9x design, the vulnerability we are about to
discuss has no bearing. A malicious individual could achieve the same ends
on Windows 9x without the need of the npptnt2.vxd driver.
This kernel mode driver allows any process to access it, and it modifies the
I/O permission mask for the calling process to allow unrestricted I/O in
user mode. The design of modern operating systems does not generally allow
for any I/O access from user mode code for system stability and security.
The driver uses undocumented kernel function Ke386SetIoAccessMap and
Ke386IoSetAccessProcess to achieve this; the driver is very similar to the
PortTalk sample available at
http://www.beyondlogic.org/porttalk/porttalk.htm.
Allowing a process unrestricted I/O access has the following risks:
1. If the process behaves unexpectedly (for example, a stack corruption
returning to arbitrary code), I/O instructions could be issued, leading to
potential problems with the system, bad data, etc.
2. A malicious process could elevate its privilege level on the system by
using direct hardware access to read / write the hard disk, program the DMA
controller, etc., or it could damage the system by resetting CMOS,
formatting the hard drive, etc.
The driver is installed as a system service. Even when Gameguard and the
multiplayer game(s) are closed, the driver continues running. The driver is
accessible under a non-admin account and is activated every boot. It does
not uninstall when the application is removed and in fact will not even
uninstall if selected in Device Manager and told to uninstall. The driver
must be deleted manually, and the registry must be edited to remove the
remaining reference.
It is true that even with this vulnerabilty the user must still be tricked
into running a malicious application that exploits it. However, in South
Korea, where the Gameguard service is widely used, net cafes have become
part of the social fabric. These machines are ripe fruit for damage.
At the more challenging level, one could use this hardware access to turn
the PC into a zombie. One could datamine information (bypassing NTFS
permissions), commit DDoS attacks, or escalate privileges on the system, by
putting the IDE controller into PIO mode, searching the disk for the system
DLLs, and replacing them with code altered to grant admin privilege. The
possibilities at this level of hardware access are nearly endless.
The nProtect Gameguard program is very rare here in North America, despite
the impressive partner list of INCA. It would be premature, however, to
presume that the installed base for this exploit is tiny. Just two of the
games on the INCA partner list - Lineage I and Lineage II - have a total of
four million active subscribers worldwide. This is not including the users
who have cancelled their accounts with a game service that uses Gameguard,
or future buyers who will purchase a game service that uses Gameguard.
Quote:
It is important to note the following:
Under an admin account, Gameguard will automatically replace any deleted
piece of itself upon the launching of the game application. Under a
non-admin account, the game application will not even function without the
driver in place. The user is forced, by fears of being compromised or by
the simple fact that the game will not run, not to play at all. The
alternative is for the user to exercise extreme caution in the applications
he or she chooses to run. Virus scanners will not detect or warn a user in
advance. In light of these issues, the burden upon the user is very high.
Left the exploit codes out, and some detailed info for security/board reasons.
