Rootshell’s Research and Development team have discovered more flaws in NetLib Security’s flagship encryption platform, Encryptionizer, and its associated kernel drivers. This is in addition to the first flaw announced by the team in September of this year.

A common source of Windows Kernel driver development/security woes is an assumption regarding the Zw family of kernel API functions and how they enforce (or do not enforce) Access Control Lists (ACLs) and permissions.

Many wrongly assume that providing an interface to the Zw family of functions from Userland (all code which runs outside the Operating System’s kernel), that is calling said functions from Kernel drivers with parameters from Userland, will enforce ACLs and permissions.

Microsoft often warn against this assumption as it is indeed a falsehood.

The Zw family of kernel API functions does not enforce ACLs unless explicitly told to do so. Therefore, a kernel driver making a call to such functions with Userland provided arguments is potentially a source of vulnerabilities, since an application program may potentially make calls to functions with privileged operations.

The pseudo-code for the affected function is given below:

netlib code 2.1

netlib code 2.2

netlib code 2.3

(No symbols are contained in the driver binary; the name ‘CallZwCreateKey’ was attributed by hand.)

The above code demonstrates a call to the function ‘ZwCreateKey’ containing Userland defined parameters. The resultant HANDLE is returned to the Userland program, albeit obfuscated through the XOR with the constant 0xACACACAC.

The value of ObjectAttributes.Attributes contains the value 576 (0x240), which corresponds to the value OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, so while the resulting HANDLE cannot be used from a Userland context, it does not enforce a kernel ACL check. As such, a Userland process making a call to the affected driver through this function, could, if they so wished, create a registry key at any location within the Windows registry.

In line with our Bug Release Terms, we informed NetLib Security of these issues and gave 90 days of notice before disclosing any information. Although NetLib accepted the issue, they have not yet taken further action. As such, limited information relating to these issues will be disclosed.