Unsigned code running on Windows RT

unsigned-code-on-windows-rt

A crack has been found in the armor of Windows RT. This subset of Windows 8 is designed to run on ARM processors. The payload listed in the image above allows you to run unsigned desktop applications on the OS.

We haven’t seen very much about the Windows RT package, so it’s nice to hear [Clrokr's] thoughts on it. As far as he can tell the system has not been watered down from its Intel-aimed (x86) counterpart. Rather, RT seems to be a direct port with what is called “Code Integrity” mechanisms switched on. There is a kernel-level setting, barricaded behind UEFI’s Secure Boot, which determines the minimum software signing level allowed to run on the device. This is set to zero on a Windows 8 machine, but defaults to 8 on an ARM device. [Clrokr] uses a debugger to insert the code seen above into a DLL file in order to reset that minimum signing value to 0.

Do you have a project in mind for which this is useful? We’d love to hear about it in the comments!

[via Reddit]

Comments

  1. muriani says:

    The first thing I saw running in this way was an RT port of the PuTTY ssh/telnet client running on a Surface.
    That alone makes it far more useful.

  2. Elias says:

    Nice one!

  3. MrX says:

    who cares? everything runs Linux nowadays..

    • Camerin says:

      Actually, linux only have 1% of global market share for PCs…

      • daid303 says:

        And PCs only have a small market share of global computers. (Think everything from mobile phones to traffic-lights)

        • SavannahLion says:

          Yet I still can’t run the latest games on a traffic light.

          Linux may be great (I use it) but until developers start releasing game of the years on it, it’s never going to have the attention of the masses.

          • xorpunk says:

            Also five figure management overhead just for small businesses who use it on infrastructure doesn’t help…

            An operating system that needs to be rebuilt to add hardware and some software support and has 20th century usability on everything from implementation to network configuration… but it’s free

          • booger_eater says:

            Gamers != not even close to majority of computer users.

          • Necromant says:

            > Linux may be great (I use it) but until developers start releasing game of the years on it, it’s never going to have the attention of the masses.

            Do you really want the audience so-called game-of-the-years are targetted for on linux? Really?

          • Cyril says:

            @xorpunk I’ll bet you still wonder why people think you don’t have a clue…
            Remote managed, Linux based, small business infrastructure is by far the cheapest solution available. Cheaper setup, much cheaper ongoing maintenance.

          • Dissy says:

            * Yet I still can’t run the latest games on a traffic light. *

            You seriously value a game more than getting to and from work/school/food alive each and every day?

          • xorpunk says:

            @Cyril: I’m clueless? You forgot to factor in that it takes humans to manage the systems who require salary and there is the cost of training and support. You obviously know about the professional aspect of the IT industry more than me…

            Windows you install some roles, configure them with users, and disable some services, and you have a ‘hardened windows server’ in a matter of hours that not only has unmatched support, but out-of-box CHM based documentation on everything, and network-distributed installation in a few clicks, for free outside machine license cost…

            Most idiots like you don’t even know the pros and cons of open source development and support, let alone the build processes and efficient configuration and implementation.

            Speaking as someone who has been a kernel developer both for BSD and Linux for years and is over-qualified for the sysop garbage you’re failing to look insightful on…

          • MrX says:

            xorpunk you are an idiot.
            an install of windows sever is not and never will be comparable to a hardened Linux server. windows simply lack much of the security functionality (have a look at NSA’s SELinux, GRSecurity etc..). just because windows has pseudo-ACLs, stupid remote administration interfaces, and weak ASLR it does not mean it is “hardened”.
            lets not even talk about the fact that windows sysadmins are (in average) dumber and less cult than the others. if you think a sysadmin is productive managing windows installs, then its because you never tried other solutions.

            and yes, Linux is everywhere. you probably have it in your TV, router, fixed IP phone (not even to talk about mobile phone) and you don’t even know.

            desktop computers and mobile computers are coming into a collision route, Ballmer knows it, that’s why you see their scared brainless tactics to enter the mobile ecosystem. But guess what? Android is eating everything in its path…

          • xorpunk says:

            @MrX: Even the GCC/Kernel developer who created SELinux says MS overflow protection are more expensive to bypass…

            Neither you or Cyril have said anything that isn’t trendy opinion on end-user forums. MS policies with DEP and ASLR are more expensive to work around by a long shot, policies still aren’t enabled out of box even on 2012 server though which is the source of most of the end-user BS you and Cyril are rumor milling. It’s basically idiots who can’t properly roll out servers and need out-of-box setups, like you and Cryil who obviously know shit about compiler design and mitigation of exploits, who are rumor milling that…

            P.S.: This is debug api runtime patching

          • MrX says:

            @xorpunk
            “MS overflow protection are more expensive to bypass…”
            you are using general on this phrase, I take you don’t know much about the subject, nice try.

            The default security model of Linux does indeed provide a weaker process space randomization than windows. However, pretty much all Linux server solutions have support for PAX which has a STRONGER ASLR than windows:
            http://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux

            Then, while Linux has SELinux (or GRSecurity) implementations of mandatory access control, Windows has NONE. Btw: Integrity control is NOT MAC. Then there is the windows ACLs which the the windows sysadmins so much praise – they suck. Linux ones are simpler and provide the same level of control. It is not the first time I see windows sysadmins bitching around because they have a ACL clusterfuck and the new rule they are trying to get in does not work as expected.
            And then, there is the stupid remote administration of servers where you have to either use RDP/VNC or the stupid management console.
            You can bitch whatever you want, I’m faster than you changing configurations on remote computers (guess what? I just need SSH) and.. I don’t even need to reboot the computer :P

            Now continue shilling as much as you want – this will be my last message.

          • Cyril says:

            @xoropunk “Speaking as someone who has been a kernel developer both for BSD and Linux for years and is over-qualified for the sysop garbage….”

            Bullshit detector OVERLOAD!!.

            Old man tip: When you actually know something, it’s easy to pick those that do not, no matter how much they pretend/insist they do ;)

      • qwerty says:

        Unfair and biased figure as this is all about ARM processors, not desktop PCs.

    • Anonymous says:

      ‘Everything’ runs Linux, but not everything runs ON Linux.

      • Blue Footed Booby says:

        Everything runs Linux*!

        *For some definitions of everything.

        To many of the above posters: Anyone who thinks the OS of choice for servers, routers, or whatever other specialist role you please has any bearing on discussion of consumer electronics you need to think really, really hard about why this hack was posted.

  4. newmiracle says:

    I was under the impression that even RT would have an Android style “side loading” or something similar. Is that not correct? If there is “side loading”, what would the point of this be?

    • six677 says:

      thats the point of this right now. Windows RT will only run applications obtained from the windows store and that is it. It wont run applications from USB, CD, download (non store) etc.

      He has lifted this restriction so it will run any application (provided it is compiled for Windows RT in the first place that is).

      Microsoft have acknowledged the hacks existence now and commented on the ingenuity of the hacker but said something that implied the hack might not work in future versions of RT.

      If you want to sideload on a windows tablet without this hack (which also needs reapplying every reboot) then your just going to have to splash out more on an x86 based windows 8 tablet rather than an ARM windows RT tablet.

      • LoganK says:

        That is not entirely true. You can easily sideload applications on Windows RT simply by obtaining a free developer’s key. (It’s quite easy.)

        However, even then it won’t allow the execution of “Desktop” (i.e., non-Modern/Metro) applications. The re-jiggering in this article allows users to run “Desktop” applications as well (which, right now, is of limited utility because the Windows RT devices use ARM processors).

      • DMink says:

        You can “sideload” Windows Store apps onto Windows RT devices if you have a developer license installed (so you can test the app you’re writing on actual hardware instead of just the emulator) without this hack. There may be a way for enterprises and OEMs to pre/sideload Windows Store apps onto Windows RT devices too, but I can’t remember exactly.

        This hack is for making unsigned (or non-Microsoft signed) desktop apps work on Windows RT devices (so long as they’ve been compiled for Windows RT, as Six677 said).

  5. 8bit says:

    Openbox, dmenu and Tint2

  6. Micro controller projects. Plug them in to an RT tablet and code away. No need to bring a bulky laptop.

  7. Whatnot says:

    I despise the concept of the lockdown of RT, but when you see how android has 100,000 apps of which 80,000 are designed mainly to gather info on you as a trojan horse.. well then you can see how MS can fuel their arguments.

  8. papagna says:

    Surface RT is a wonderful piece of hardware.

    Microsoft sells at ~600 bucks ($499+$100) a thing requiring less than $287 to manufacture. This means that if I buy it to install Linux, Microsoft will still make large profit.

    Honestly: running ARM-compiled versions of Windows apps is not as exciting as a minimal Linux install.

  9. Willrandship says:

    Is anyone else really disappointed that it NEEDED to be jailbroken? I mean, this is a computer, not a video game console.

    I expected at least THAT much, Microsoft.

  10. Bill Gander says:

    Best of luck to us all :D

  11. Alex Davidson says:

    what about using it in conjoint with a Metasploit attack?

  12. M. R. says:

    It’s really sickening that this is even necessary. It should be illegal to lock down dedicated game consoles like this, much less generic computing devices.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,277 other followers