windows 10 2 steps forward 1 step back james forshaw
play

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo - PowerPoint PPT Presentation

May 09, 2023 •159 likes •792 views

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1 Obligatory Background Slide Researcher in Googles Project Zero team Specialize in Windows Especially local privilege escalation Never met

  1. Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1

  2. Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like 2 James Forshaw @tiraniddo

  3. What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3 James Forshaw @tiraniddo

  4. Windows 10 4 James Forshaw @tiraniddo

  5. Windows Local Attack Surface 5 James Forshaw @tiraniddo

  6. Local System Vulnerabilities are Dead! 6 James Forshaw @tiraniddo

  7. System Services and Drivers Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10 7 James Forshaw @tiraniddo

  8. Service Privilege Levels Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10 8 James Forshaw @tiraniddo

  9. SVCHOST Running as User? Malware? Nope! 9 James Forshaw @tiraniddo

  10. Service Start Mode Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10 10 James Forshaw @tiraniddo

  11. Accessible Device Objects Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5 7 8 10 11 James Forshaw @tiraniddo

  12. Isolated User Mode 12 James Forshaw @tiraniddo

  13. Isolated LSASS Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130 13 James Forshaw @tiraniddo

  14. But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14 James Forshaw @tiraniddo

  15. Edge Browser 15 James Forshaw @tiraniddo

  16. Microsoft Edge Security ActiveX is gone(ish) AppContainer Sandbox Always On 16 James Forshaw @tiraniddo

  17. Microsoft Edge and Flash Nope! 17 James Forshaw @tiraniddo

  18. Has No One Learnt from the Past? 18 James Forshaw @tiraniddo

  19. Guess Trident Wasn’t a Suitable Base? 19 James Forshaw @tiraniddo

  20. User Account Control 20 James Forshaw @tiraniddo

  21. They’ve Fixed Some Bugs I’ve Reported https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220 21 James Forshaw @tiraniddo

  22. UAC Auto Elevation Directory Check c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 22 James Forshaw @tiraniddo

  23. Folder Permissions c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 23 James Forshaw @tiraniddo

  24. AiCheckSecureApplicationDirectory Bypass ● Need to be able to write a file with a secure path ● How can we write to C:\Windows without writing to C:\Windows? c:\windows\ malicious.exe c:\windows\ ???? ALLOWED ALLOWED? 24 James Forshaw @tiraniddo

  25. NTFS Alternate Data Streams FTW! c:\windows\ tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream. 25 James Forshaw @tiraniddo

  26. Didn’t Fix All my UAC Bypasses Though https://code.google.com/p/google-security-research/issues/detail?id=219 26 James Forshaw @tiraniddo

  27. DEMO Elevated Token Capture 27 James Forshaw @tiraniddo

  28. Well MS Almost Did If Process has If Token Level If Process IL < If Process User Impersonate < Impersonate Token IL == Token User Privilege Elevation Check Restrict to ALLOWED Identification Level 28 James Forshaw @tiraniddo

  29. Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } } 29 James Forshaw @tiraniddo

  30. In The End Still the “Wrong” Default IMO! 30 James Forshaw @tiraniddo

  31. If You Change Task Manager Needs a Prompt 31 James Forshaw @tiraniddo

  32. Windows Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 32 James Forshaw @tiraniddo

  33. Mitigated in Sandboxes LIMITED NTFS Mount Points BANNED Registry Key Symbolic Links LIMITED Object Manager Symbolic Links 33 James Forshaw @tiraniddo

  34. Mitigations Backported 34 James Forshaw @tiraniddo

  35. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 35 James Forshaw @tiraniddo

  36. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 36 James Forshaw @tiraniddo

  37. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 37 James Forshaw @tiraniddo

  38. Time of check-Time of use Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz Not Equal 38 James Forshaw @tiraniddo

  39. DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards DosDevices DosDevices DosDevices DosDevices ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 39 James Forshaw @tiraniddo

  40. DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards Use DosDevices DosDevices DosDevices DosDevices This! ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 40 James Forshaw @tiraniddo

  41. Abusing Per-Process Device Map Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz \Device\NamedPipe\ \??\c:\somepath\xyz Not Equal https://code.google.com/p/google-security-research/issues/detail?id=486 41 James Forshaw @tiraniddo

  42. Sandbox Winter is Coming! New in October Kernel Release 42 James Forshaw @tiraniddo

  43. DEMO NTFS Mount Point Mitigation Bypass 43 James Forshaw @tiraniddo

  44. Win32k Hardening 44 James Forshaw @tiraniddo

  45. Fonts Are Bad 45 James Forshaw @tiraniddo

  46. Making it Less Bad Disable Custom Font Policy User Mode Font Driver (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy . DisableNonSystemFonts = 1 ; policy . AuditNonSystemFontLoading = 1 ; SetProcessMitigationPolicy ( ProcessFontDisablePolicy , & policy , sizeof( policy )); 46 James Forshaw @tiraniddo

  47. User Mode Font Driver Running as user in AppContainer Only SYSTEM can open process? 47 James Forshaw @tiraniddo

  48. Process Token Default DACL Before September Patch After September Patch 48 James Forshaw @tiraniddo

  49. Thread DACLs Allow User Access 49 James Forshaw @tiraniddo

Recommend

Our Dance Two Steps Forward, One Step Back Richland Elementary R-IV Dr. Tina Turner principal

Our Dance Two Steps Forward, One Step Back Richland Elementary R-IV Dr. Tina Turner principal

Our Dance Two Steps Forward, One Step Back Richland Elementary R-IV Dr. Tina Turner principal Miss Ashley McGuire Kindergarten Teacher Outcomes: Attendees will identify key areas of Tier 1 and process of implementation. Attendees will

282 views • 12 slides
THE CLIFF EFFECT ONE STEP FORWARD, TWO STEPS BACK Removing Barriers to Economic Mobility Thank

THE CLIFF EFFECT ONE STEP FORWARD, TWO STEPS BACK Removing Barriers to Economic Mobility Thank

THE CLIFF EFFECT ONE STEP FORWARD, TWO STEPS BACK Removing Barriers to Economic Mobility Thank You! As Indianas oldest and largest community foundation, The Indianapolis Foundation (a CICF affiliate) was created in 1916 to ensure that the

604 views • 23 slides
the .NET Inter-Operability Operation James Forshaw - @tiraniddo Derbycon 7.0

the .NET Inter-Operability Operation James Forshaw - @tiraniddo Derbycon 7.0

the .NET Inter-Operability Operation James Forshaw - @tiraniddo Derbycon 7.0 https://openclipart.org/detail/272992/nang-luong-hat-nhan What Im Going to be Talking About .NET Interop Platform Invoke .NET COM COM .NET 2 Agenda

938 views • 77 slides
Step 1: Go to the Tools menu and select Options Back Next slide Step 2: Select Security tab

Step 1: Go to the Tools menu and select Options Back Next slide Step 2: Select Security tab

Viewing Captions in Windows Media Player Version 10 To view captions (see example below) follow these instructions to set up your Windows Media Player. Next slide Note, once you have completed this set-up, you must restart the video stream

304 views • 6 slides
Three Steps Forward Two Steps Back Innovation and implementation of e-assessment in high stakes

Three Steps Forward Two Steps Back Innovation and implementation of e-assessment in high stakes

Three Steps Forward Two Steps Back Innovation and implementation of e-assessment in high stakes mathematics tests for 14-19 year olds The Future Turn of the century high expectations of a technological revolution in high stakes assessment:

878 views • 44 slides
Prepare your presentation in 5 steps Step 1 - Install the software Note that the eSlides

Prepare your presentation in 5 steps Step 1 - Install the software Note that the eSlides

Prepare your presentation in 5 steps Step 1 - Install the software Note that the eSlides software is currently available for Windows only in both English and French (a version for Apple will be developed later this year). If your computer is

71 views • 6 slides
P R E S E N T A C I O N W W W . A N N A L I N M U Z Z A . C O M C H I A R A Step back into the

P R E S E N T A C I O N W W W . A N N A L I N M U Z Z A . C O M C H I A R A Step back into the

P R E S E N T A C I O N W W W . A N N A L I N M U Z Z A . C O M C H I A R A Step back into the groovy Studio 54 era in this head turning large pailette sequin iridescent mini dress. Model is wearing US size S 100% Polyester Hand Wash

985 views • 56 slides
Disability Claims Process Personal support through each step to get back to health, back to work

Disability Claims Process Personal support through each step to get back to health, back to work

Disability Claims Process Personal support through each step to get back to health, back to work and back to life. Start to Finish our Focus is on the employee Back to health, back to work and back to life with support at every step Our

220 views • 17 slides
Switching to Ubuntu from Windows Step 1 - Applications Step 1 - Applications Most Important step

Switching to Ubuntu from Windows Step 1 - Applications Step 1 - Applications Most Important step

Switching to Ubuntu from Windows Step 1 - Applications Step 1 - Applications Most Important step is to check if the applications you use are available on Ubuntu. And if not, are there any alternatives? Tip: Try Ubuntu CD live and see if you

360 views • 17 slides
Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate

Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate

Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate people on a computer - Multiple user accounts on a computer - Ex) shared family computer - Access level can be set differently for each user

1.2k views • 51 slides
SMWP 2011 Christine James Technology in a Writing Classroom My journey began back when I I

SMWP 2011 Christine James Technology in a Writing Classroom My journey began back when I I

SMWP 2011 Christine James Technology in a Writing Classroom My journey began back when I I learned how to prepare a six step next couple of years, we planned would play school with my sister and lesson plan, assess my students, lessons

170 views • 5 slides
CHAPTER 1 GETTING STARTED 5 STEPS TO CREATING YOUR FIRST INFOGRAPHIC IN 15 MINUTES STEP 1

CHAPTER 1 GETTING STARTED 5 STEPS TO CREATING YOUR FIRST INFOGRAPHIC IN 15 MINUTES STEP 1

CHAPTER 1 GETTING STARTED 5 STEPS TO CREATING YOUR FIRST INFOGRAPHIC IN 15 MINUTES STEP 1 PICK A TEMPLATE STEP 2 CLICK CREATE AND START ADDING YOUR TEXT! STEP 3 INSERT YOUR GRAPHICS Just click or drag-and-drop the graphics you need

505 views • 15 slides
College Credit Plus 2021-2022 Academic year CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year CCP Admission Steps Follow the following steps! Step 1 : Turn signed Letter of Intent into the high school Step 2: Apply www.mtc.edu/apply Step 3 : Test- or have test scores sent to

170 views • 6 slides
College Credit Plus 2021-2022 Academic year 1 CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year 1 CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year 1 CCP Admission Steps Follow the following steps! Step 1 : Turn signed Letter of Intent into the high school Step 2: Apply www.mtc.edu/apply Step 3 : Test- or have test scores sent to

554 views • 6 slides
Unilever Barclays Back to School Conference - Boston James Allison Head of IR and M&amp;A

Unilever Barclays Back to School Conference - Boston James Allison Head of IR and M&amp;A

Unilever Barclays Back to School Conference - Boston James Allison Head of IR and M&amp;A September 7 th 2011 Safe Harbour Statement This announcement may contain forward- looking statements, including forward - looking statements within

1.05k views • 30 slides
Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu

Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu

Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu Microsoft, Windows Phone Engineering Hewlett-Packard Cloud Services Background APIs Performance and Health Data and Cloud RTM Networking:

578 views • 54 slides
Step Back... Clear Your Mind... Whats The Next Step? Justin Elliott Manager, Mac &amp; Linux

Step Back... Clear Your Mind... Whats The Next Step? Justin Elliott Manager, Mac &amp; Linux

Step Back... Clear Your Mind... Whats The Next Step? Justin Elliott Manager, Mac &amp; Linux Teams Classroom &amp; Lab Computing 1 Disclaimers I am not an expert on GTD , but I have used it for 1.5 years now, and its been a huge help.

679 views • 43 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps. Chapter One: The first step is about narrating some facts, by which my project and research were based on. Egypt is located in north east africa,

690 views • 46 slides
Ann Arbors Ann Arbors Non Non- -motorized Transportation motorized Transportation Steps

Ann Arbors Ann Arbors Non Non- -motorized Transportation motorized Transportation Steps

Ann Arbors Ann Arbors Non Non- -motorized Transportation motorized Transportation Steps Forward Steps Forward Steps Forward Steps Forward Eli Cooper, AICP p , Presentation to Pedestrian Access and Safety Task Force June 2014 Non

161 views • 14 slides
The development process often feels chaotic, haphazard, and arbitrary, especially for new

The development process often feels chaotic, haphazard, and arbitrary, especially for new

The development process often feels chaotic, haphazard, and arbitrary, especially for new participants or outsiders. It often seems more difficult than it should be, a process where you take one step forward, and two steps back. This

478 views • 11 slides
Back to basics 1. What steps can you take to ensure that a blended course really meets its

Back to basics 1. What steps can you take to ensure that a blended course really meets its

Back to basics: Designing effective blended courses E-learning Development Team Academic Support Office, University of York 11 November 2014 Back to basics 1. What steps can you take to ensure that a blended course really meets its objectives

159 views • 12 slides
Step 1 Summary of Project This blog post covers the steps I took to create a presentation that

Step 1 Summary of Project This blog post covers the steps I took to create a presentation that

What makes a great presentation? Why are some presenters more engaging than others? We will begin to explore these questions with this project. Below you will find the steps and examples each component of the project. Step 1 Summary of

306 views • 4 slides
Question A step by step walkthrough and analysis This presentation is based on the work of James

Question A step by step walkthrough and analysis This presentation is based on the work of James

The Short Answer Question The Short Answer Question A step by step walkthrough and analysis This presentation is based on the work of James Sabathnes Period One module for the Teaching and Assessing AP U.S. History training site. In order

543 views • 21 slides

More recommend