windows 10 2 steps forward 1 step back james forshaw
play

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo - PowerPoint PPT Presentation

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1 Obligatory Background Slide Researcher in Googles Project Zero team Specialize in Windows Especially local privilege escalation Never met


  1. Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1

  2. Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like 2 James Forshaw @tiraniddo

  3. What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3 James Forshaw @tiraniddo

  4. Windows 10 4 James Forshaw @tiraniddo

  5. Windows Local Attack Surface 5 James Forshaw @tiraniddo

  6. Local System Vulnerabilities are Dead! 6 James Forshaw @tiraniddo

  7. System Services and Drivers Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10 7 James Forshaw @tiraniddo

  8. Service Privilege Levels Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10 8 James Forshaw @tiraniddo

  9. SVCHOST Running as User? Malware? Nope! 9 James Forshaw @tiraniddo

  10. Service Start Mode Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10 10 James Forshaw @tiraniddo

  11. Accessible Device Objects Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5 7 8 10 11 James Forshaw @tiraniddo

  12. Isolated User Mode 12 James Forshaw @tiraniddo

  13. Isolated LSASS Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130 13 James Forshaw @tiraniddo

  14. But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14 James Forshaw @tiraniddo

  15. Edge Browser 15 James Forshaw @tiraniddo

  16. Microsoft Edge Security ActiveX is gone(ish) AppContainer Sandbox Always On 16 James Forshaw @tiraniddo

  17. Microsoft Edge and Flash Nope! 17 James Forshaw @tiraniddo

  18. Has No One Learnt from the Past? 18 James Forshaw @tiraniddo

  19. Guess Trident Wasn’t a Suitable Base? 19 James Forshaw @tiraniddo

  20. User Account Control 20 James Forshaw @tiraniddo

  21. They’ve Fixed Some Bugs I’ve Reported https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220 21 James Forshaw @tiraniddo

  22. UAC Auto Elevation Directory Check c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 22 James Forshaw @tiraniddo

  23. Folder Permissions c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 23 James Forshaw @tiraniddo

  24. AiCheckSecureApplicationDirectory Bypass ● Need to be able to write a file with a secure path ● How can we write to C:\Windows without writing to C:\Windows? c:\windows\ malicious.exe c:\windows\ ???? ALLOWED ALLOWED? 24 James Forshaw @tiraniddo

  25. NTFS Alternate Data Streams FTW! c:\windows\ tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream. 25 James Forshaw @tiraniddo

  26. Didn’t Fix All my UAC Bypasses Though https://code.google.com/p/google-security-research/issues/detail?id=219 26 James Forshaw @tiraniddo

  27. DEMO Elevated Token Capture 27 James Forshaw @tiraniddo

  28. Well MS Almost Did If Process has If Token Level If Process IL < If Process User Impersonate < Impersonate Token IL == Token User Privilege Elevation Check Restrict to ALLOWED Identification Level 28 James Forshaw @tiraniddo

  29. Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } } 29 James Forshaw @tiraniddo

  30. In The End Still the “Wrong” Default IMO! 30 James Forshaw @tiraniddo

  31. If You Change Task Manager Needs a Prompt 31 James Forshaw @tiraniddo

  32. Windows Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 32 James Forshaw @tiraniddo

  33. Mitigated in Sandboxes LIMITED NTFS Mount Points BANNED Registry Key Symbolic Links LIMITED Object Manager Symbolic Links 33 James Forshaw @tiraniddo

  34. Mitigations Backported 34 James Forshaw @tiraniddo

  35. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 35 James Forshaw @tiraniddo

  36. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 36 James Forshaw @tiraniddo

  37. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 37 James Forshaw @tiraniddo

  38. Time of check-Time of use Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz Not Equal 38 James Forshaw @tiraniddo

  39. DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards DosDevices DosDevices DosDevices DosDevices ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 39 James Forshaw @tiraniddo

  40. DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards Use DosDevices DosDevices DosDevices DosDevices This! ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 40 James Forshaw @tiraniddo

  41. Abusing Per-Process Device Map Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz \Device\NamedPipe\ \??\c:\somepath\xyz Not Equal https://code.google.com/p/google-security-research/issues/detail?id=486 41 James Forshaw @tiraniddo

  42. Sandbox Winter is Coming! New in October Kernel Release 42 James Forshaw @tiraniddo

  43. DEMO NTFS Mount Point Mitigation Bypass 43 James Forshaw @tiraniddo

  44. Win32k Hardening 44 James Forshaw @tiraniddo

  45. Fonts Are Bad 45 James Forshaw @tiraniddo

  46. Making it Less Bad Disable Custom Font Policy User Mode Font Driver (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy . DisableNonSystemFonts = 1 ; policy . AuditNonSystemFontLoading = 1 ; SetProcessMitigationPolicy ( ProcessFontDisablePolicy , & policy , sizeof( policy )); 46 James Forshaw @tiraniddo

  47. User Mode Font Driver Running as user in AppContainer Only SYSTEM can open process? 47 James Forshaw @tiraniddo

  48. Process Token Default DACL Before September Patch After September Patch 48 James Forshaw @tiraniddo

  49. Thread DACLs Allow User Access 49 James Forshaw @tiraniddo

Recommend


More recommend