1 stories

Windows RT exploited to run unsigned non-Windows Store apps, not yet fully jailbroken


Looks like someone has found out a way to run non-Windows Store apps on a Windows RT device, such as the Surface RT, via a vulnerability. As Microsoft continues to push the Windows Store and its Windows RT platform, this new vulnerability allows Windows RT to run unsigned code and soon we could see a full-fledged solution to jailbreak Windows RT.

Clrokr, the one who discovered this vulnerability, found out a way to tinker with the portion of the RAM that instructs Windows RT on whether it should run unsigned code or signed code. “It’s taken longer than expected but it has finally happened: unsigned desktop applications run on Windows RT. Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible,” the hacker stated.

The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.

The hacker mentions that Windows RT is a clean port of Windows 8 therefore Code Integrity is enforced to artificially separate these platforms. He mentions that this will not stop pirates from modifying Windows Store apps to run unsigned. He also mentions that Code Integrity can be enforced on Windows 8 to see what Windows RT runs like. Now keep in mind that this is not a fill-fledged jailbreak but merely a demonstration of the vulnerability by the hacker. This methodology resets itself every time the operating system is restarted. It wouldn’t be surprising if a jailbreaking tool was released in the future, based on his methods, but for now this is the first step towards that direction. Hit the source link to read more about this vulnerability.

Further reading: , , ,