We discovered a variation of the attack suggested by Burns and Stamos that allows the attack code
to be installed even if the user has never consented to the installation of MediaMax, and to be triggered
immediately whenever the user inserts a MediaMax CD. In the original attack, the user needs to accept the
MediaMax license agreement before attack code can be inserted or executed, because the code is placed
in a file called
MMX.EXE
that is not copied to the system until after the agreement is accepted. In our
attack, the attacker places hostile code in the
DllMain
procedure of a code file called
MediaMax.dll
,
which MediaMax installs even before displaying the EULA. The next time a MediaMax CD is inserted, the
installer autoruns and immediately attempts to check the version of the installed
MediaMax.dll
file. To
do this, the installer calls the Windows
LoadLibrary
function on the DLL file, which causes the file's
DllMain
procedure to execute, together with any attack code inserted there.
This problem is exacerbated because parts of the MediaMax software are installed automatically and
without consent. Users who declined the EULA would likely assume that MediaMax was not installed,
and so most would be unaware that they were vulnerable. The same installer code performs the dangerous
version check as soon as the CD is inserted. A CD that prompted the user to accept a license before installing
code would give the user a chance to head off the attack.
Fixing this problem permanently without losing the use of protected discs requires installing a patch
from MediaMax. Unfortunately, as we discovered, the initial patch released by Sony-BMG in response to
the iSec report was capable of triggering precisely the kind of attack it was supposed to prevent. In the
process of updating MediaMax, the patch checked the version of
MediaMax.dll
just like the MediaMax
installer does. If this file was already modified by an attacker, the process of applying the security patch
would execute the attack code. Prior versions of the MediaMax uninstaller had the same vulnerability,
though both the uninstaller and the patch have since been replaced with versions that do not suffer from this
problem.
7
Deactivation
Active protection methods install and run software components that interfere with accesses to a CD. Users
can remove or deactivate the active protection software by using standard system administration tools that are
designed to find, characterize, and control the programs installed on a machine. Deactivating the protection
will enable arbitrary use or ripping of the music, and it is difficult to stop if the user has system administrator
privileges. In this section, we discuss how active protection may be deactivated.
7.1
Deactivating MediaMax
The MediaMax active protection software is simple to deactivate since it is a single device driver with a
consistent service name,
sbcphid
. The service can be manipulated using the Windows XP command line
utility
sc
. To check the status of the service, a user can open a command prompt windows and issue the
command
sc query sbcphid
; if the reported state is "RUNNING" then the MediaMax driver is active.
It can be deactivated using the command
sc stop sbcphid
. To permanently remove it, a user can issue
the command
sc delete sbcphid
, then delete
%windir%
\
system32
\
drivers
\
sbcphid.sys
,
the driver's program file. Once the driver is deactivated, MediaMax-protected albums can be accessed as if
they were unprotected.
7.2
Defenses Against Deactivation
To counter deactivation attempts, a vendor might try technical tricks to evade detection and frustrate removal
of the active protection software. An example is the rootkit-like behavior of XCP, discovered by Mark
Russinovich [29]. When XCP installs its active protection software, it also installs a second program--the
18