MS SurfaceRT Security Broken–Now you can run ANY Desktop App
We knew it’s a matter of time, in fact I am surprised it took this long, but it has finally happened. Someone has found a way to circumvent the built-in Security of Surface preventing arbitral running of Desktop Apps on SurfaceRT devices. Its all about a Byte in the Kernel, and a hacker going by the handle of Clrokr (@Clrokr) has found it as below:
LDR R3, =0x59FFA6 This is our byte, 0x19FFA6 at 0×400000 image base
LDRB R3, [R3]
CMP R3, #4
Here is what he said about it:
Finding the right spot
The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.
Finding this byte in the kernel takes a while, there is no exported symbol for it and not even in the symbol database at MSFT. I found it using WinDbg and a machine running Windows 8 Pro, creating processes and watching how the system behaves when the signature checks happen all the way through CI.dll and back. Because Windows 8 and Windows RT are so similar, locating it in the ARM kernel was not hard…
He provided the sample exploitation code on his blog. But what does it all mean to you as user? First, this is not for the faint hearted, you must know what you are doing. Second, someone will probably write a code to automate the jailbreaking. But the question is would you run this code on your ARM device?
I personally will like to to see how SurfaceRT performs after jailbreak. Remember the version of Office on SurfaceRT is specially crafted and optimized for the RISC architecture and its small power environment. So, will you be able to run the likes of AutoCAD/Photoshop now on Surface, I doubt it, you will be frustrated possibly with the performance speed. We will be keeping an eye on developments for you and report back if anything new come up around this story.
It’s a brave world out there, once again, it has been proven that nothing is secure by default. If it is written by man, it will be broken by man, period. Now that you can jailbreak SurfaceRT, what are you going to do about it? The decision is yours and yours alone.
You can read the rest at Clrockr site: http://surfsec.wordpress.com/2013/01/06/circumventing-windows-rts-code-integrity-mechanism/
I have been made aware of the fact that you can’t run “ANY” desktop Apps on ARM devices like the hacker’s post suggested, but even after this jailbreak, you still have to compile your standard Desktop App for ARM before it will run in a jailbroken desktop. So, with this news, we can expect Google and the likes to start compiling Chrome and other apps for Windows RT desktop. And of course all the security risks and exploits will follow. Hopefully people will not be blaming Microsoft for their misfortune then.