Email or username:

Password:

Forgot your password?
r000t's posts Post Back to profile
r000t

Remember when they told you that kernel-mode anticheat was perfectly safe?

Once these drivers are signed by Microsoft, they can be loaded into *any* Windows system, even if you don't play the game they're from.
26 Aug 2022 at 19:52 | Open on infosec.exchange
30 comments

@r000t Might not even need loading in some cases, I've seen people complaining that Genshit keeps the driver in system even after being uninstalled. Once again, anticheat is cancer.
26 Aug 2022 at 19:54 | Open on plagu.ee
fuggy

@r000t@infosec.exchange remind me why a anime gacha game needs a kernel level driver?
26 Aug 2022 at 20:05 | Open on skippers-bin.com
eviloatmeal

@r000t "Kernel mode anti-cheat", or as it used to be called, a rootkit.

26 Aug 2022 at 20:39 | Open on linuxrocks.online
Lunch (--)
almaember
@r000t wait how does it work if you don't have Genshin Impact installed?
26 Aug 2022 at 21:47 | Open on pleroma.envs.net
divVerent

@r000t@infosec.exchange Wait, I do not understand that. If a driver is signed by Microsoft, then EVEN NON-ADMIN USERS can load them?

That... sucks. But it explains finally to me why that github project that contains a huge .h file with the driver is a real PoC :)

26 Aug 2022 at 22:44 | Open on misskey.de
JoYo

@r000t stadia doesn’t sound so bad now.

26 Aug 2022 at 22:49 | Open on thejoyo.com
Will Rehwinkel

@r000t Watch: Once this bug is patched, the kernel anticheat will be 100% safe, trust me

26 Aug 2022 at 23:28 | Open on nixnet.social
The Cobra

@r000t i don't want to say i called it, but i hella called it

27 Aug 2022 at 0:01 | Open on fedi.vern.cc
Dumb Idiot Retard
Sarvo

@r000t@infosec.exchange how do you even run it if you don't have genshit installed? Also what is the implication of this for wine?

27 Aug 2022 at 2:28 | Open on novoa.nagoya
rdr :amariokarttroopa: NO MORE DMs PLS
DELETED

@r000t not defending kernel mode anticheats, but I think the bigger problem here is Windows's Swiss cheese level kernel module management.

27 Aug 2022 at 3:54 | Open on mastodon.social
Iska :emacs_thinking:​ :guix:
DELETED

@iska @r000t I'm not sure of that. After all, Linux is infamous for being an absolute pain to install kernel mode drivers, and that's when you WANT to get software into the kernel. That's why it matters so much if a processor or GPU is mainline supported. Meanwhile, Windows doesn't even ask for your password. Just a UAC prompt.

27 Aug 2022 at 9:49 | Open on mastodon.social
DELETED

@iska @r000t also, make sure you can never, ever do `sudo wine [whatever]` on your machine. That's just asking to be screwed.

27 Aug 2022 at 10:46 | Open on mastodon.social
Crystal (melting)
@AgreeableLandscape
> Windows doesn't even ask for your password. Just a UAC prompt.

Depends on security policy on current machine. Mine for example asks admin password on UAC.

@iska @r000t
27 Aug 2022 at 11:03 | Open on tsunde.ru
Iska :emacs_thinking:​ :guix:

@AgreeableLandscape @r000t
sudo modprobe anti~christ~cheat

Just a UAC prompt

Only true when you use admin(root) account.

27 Aug 2022 at 11:10 | Open on mstdn.starnix.network
DELETED

@iska @r000t yeah, but this specific vulrnability hinges on not requiring UAC authorisation to install the anticheat. Like, if you need to sudo it, it's a lot less of a threat.

27 Aug 2022 at 11:27 | Open on mastodon.social
r000t

@AgreeableLandscape
There's a higher level than any interactive administrator account on a Windows system, called NT AUTHORITY\SYSTEM, and this is the level drivers and this sort of anticheat run at.

This is the level you would need to be to start doing really nasty things like keylogging, hiding processes/network/file activity, and generally making your computer gaslight you. This also means it can gaslight any antivirus you may be running.
@iska

27 Aug 2022 at 13:27 | Open on infosec.exchange
DELETED

@r000t @iska this just goes with the theme that you don't own your Windows system that Microsoft is going for. You're merely a guest on the OS you paid for.

27 Aug 2022 at 17:10 | Open on mastodon.social
Iska :emacs_thinking:​ :guix:

@AgreeableLandscape @r000t
ITS NOT A VULNERABILITY
You consented to install a rootkit.

27 Aug 2022 at 14:00 | Open on mstdn.starnix.network
Soy_Magnus
@iska @AgreeableLandscape @r000t bit the real question is what will it do and I'm going to use someone else's phone to find out
27 Aug 2022 at 11:29 | Open on shitposter.club
inference
@AgreeableLandscape @iska @r000t You shouldn't be daily driving an admin account exactly for this reason. Same as root on Unix.

Max out UAC, don't use admin, safe.
27 Aug 2022 at 13:35 | Open on plr.inferencium.net
GNU/neko :cursed_verified::makemeneko:
@iska @AgreeableLandscape @r000t it's signed by a trusted party, the user is presumably granting the software admin, realistically I don't see what else the OS is supposed to do at that point

at least on linux I can't imagine ever granting a closed source userspace binary cap_sys_module. but I guess there are lots of people running windows who will grant games whatever they demand in order to play
27 Aug 2022 at 10:53 | Open on bae.st
Mek101

@iska @AgreeableLandscape @r000t Nay, on linux you still need to perform the operation as root. Plus the kernel module API/ABI is not even stable, so you would have to package a different module for almost any combination of distro/kernel version you want to attack

27 Aug 2022 at 13:38 | Open on mstdn.io
\\
Mek101
Go Up