Defeating Mbr Filter With Techniques From 2011

If MBR is protected, just overwrite VBR. Like Carperb did

Summary

A few days ago TalosIntel, a cisco subunit I guess, released MBRFilter. It is a simple driver protecting the MBR from malicious modification - and it does exactly what it says on the tin.

@SwiftOnSecurity, softpedia and bleepingcomputer picked it up, so I guess many people saw it. I’m not entirely sure if even the bleepingcomputer video really conveyed how much/little security it actually offers. (Minor nitpick: Ransomware would not encrypt the MBR but the Master File Table)

I have two problems with this release:

It does not actually solve the problem, as any later stage in the boot process can be overwritten instead - as Rovnix did years ago
direct disk access already is protected – only processes running with administrator rights can modify it. If malware is able to run as administrator the PC should be considered toast anyway, even if the MBR itself is protected

I will release an extremely simple POC that circumvents the filter. Malware authors gain nothing from that, if they haven’t figured it out by now, this code will not help them. (Not to mention that cisco advertises MBRFilter to protect specifically against ransomware - whose authors would be unable to empty a bucket if the instructions to do that were printed on its bottom…)

Details about MBRFilter

MBRFilter is a kernelmode driver written in C. It draws heavily on example code by Microsoft, and prevents writes to sector 0 of non-removable devices or CDs.

It installs a callback to filter SCSI Passthrough (in MBRFDevControl()) and requests coming from the normal I/O mechanism (in MBRFReadWrite()). If those requests try to sector 0 of any drive it shows an error message and makes that request fail.

(I’m not entirely sure why the check in MBRFReadWrite() is diskoffset / 512 == 0, instead of just a simple comparison. However I’d be happy to hear about that)

Reading the MBR is not protected however, because there is no possible harm in that correct?

Rudimentary introduction to the Windows booting procedure

The, unmodified, Windows MBR has, like all Master Boot Records, a size limit of 512 bytes. And not even all of that can be used freely, for example at the end there has to be a 2 byte signature and before that a partition table.

So all the actual MBR does is setup a few small things and then read the next stage of the boot process. The next stage is at the first sector of the partition that is bootable (i.e. has the bootable flag set in that table).

The MBR then reads that next stage (called Virtual Boot Record) into memory and continues execution there.

Circumventing MBRFilter

As astute readers may have noticed the VBR is on another sector than the MBR. As MBRFilter only protects the MBR, the VBR can be modified using normal WinApi functions. The only challenge is finding the VBR…

Well as MBRFilter does not prevent reading the MBR a malicious application could read the MBR, parse the partion table to find the VBR and then overwrite it.

And would you look at that, I did exactly that. The code is nothing fancy, it doesn’t even have any sort of output. Your PC just will be stuck; the only remedy is turning it off. Forever.

Summary

MBRFilter does what it says. Sadly if you know enough to accurately judge what that exactly means you are basically able to circumvent that. Obviously the average user, and as it seems not even the average tech journalist, don’t have that knowledge. And that is fine, but Cisco should make the shortcomings more clear! Putting “defense-in-depth” anywhere in the Text would have been enough to hint at the shortcomings.