Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1
Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like 2 James Forshaw @tiraniddo
What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3 James Forshaw @tiraniddo
Windows 10 4 James Forshaw @tiraniddo
Windows Local Attack Surface 5 James Forshaw @tiraniddo
Local System Vulnerabilities are Dead! 6 James Forshaw @tiraniddo
System Services and Drivers Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10 7 James Forshaw @tiraniddo
Service Privilege Levels Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10 8 James Forshaw @tiraniddo
SVCHOST Running as User? Malware? Nope! 9 James Forshaw @tiraniddo
Service Start Mode Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10 10 James Forshaw @tiraniddo
Accessible Device Objects Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5 7 8 10 11 James Forshaw @tiraniddo
Isolated User Mode 12 James Forshaw @tiraniddo
Isolated LSASS Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130 13 James Forshaw @tiraniddo
But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14 James Forshaw @tiraniddo
Edge Browser 15 James Forshaw @tiraniddo
Microsoft Edge Security ActiveX is gone(ish) AppContainer Sandbox Always On 16 James Forshaw @tiraniddo
Microsoft Edge and Flash Nope! 17 James Forshaw @tiraniddo
Has No One Learnt from the Past? 18 James Forshaw @tiraniddo
Guess Trident Wasn’t a Suitable Base? 19 James Forshaw @tiraniddo
User Account Control 20 James Forshaw @tiraniddo
They’ve Fixed Some Bugs I’ve Reported https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220 21 James Forshaw @tiraniddo
UAC Auto Elevation Directory Check c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 22 James Forshaw @tiraniddo
Folder Permissions c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 23 James Forshaw @tiraniddo
AiCheckSecureApplicationDirectory Bypass ● Need to be able to write a file with a secure path ● How can we write to C:\Windows without writing to C:\Windows? c:\windows\ malicious.exe c:\windows\ ???? ALLOWED ALLOWED? 24 James Forshaw @tiraniddo
NTFS Alternate Data Streams FTW! c:\windows\ tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream. 25 James Forshaw @tiraniddo
Didn’t Fix All my UAC Bypasses Though https://code.google.com/p/google-security-research/issues/detail?id=219 26 James Forshaw @tiraniddo
DEMO Elevated Token Capture 27 James Forshaw @tiraniddo
Well MS Almost Did If Process has If Token Level If Process IL < If Process User Impersonate < Impersonate Token IL == Token User Privilege Elevation Check Restrict to ALLOWED Identification Level 28 James Forshaw @tiraniddo
Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } } 29 James Forshaw @tiraniddo
In The End Still the “Wrong” Default IMO! 30 James Forshaw @tiraniddo
If You Change Task Manager Needs a Prompt 31 James Forshaw @tiraniddo
Windows Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 32 James Forshaw @tiraniddo
Mitigated in Sandboxes LIMITED NTFS Mount Points BANNED Registry Key Symbolic Links LIMITED Object Manager Symbolic Links 33 James Forshaw @tiraniddo
Mitigations Backported 34 James Forshaw @tiraniddo
Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 35 James Forshaw @tiraniddo
Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 36 James Forshaw @tiraniddo
Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 37 James Forshaw @tiraniddo
Time of check-Time of use Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz Not Equal 38 James Forshaw @tiraniddo
DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards DosDevices DosDevices DosDevices DosDevices ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 39 James Forshaw @tiraniddo
DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards Use DosDevices DosDevices DosDevices DosDevices This! ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 40 James Forshaw @tiraniddo
Abusing Per-Process Device Map Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz \Device\NamedPipe\ \??\c:\somepath\xyz Not Equal https://code.google.com/p/google-security-research/issues/detail?id=486 41 James Forshaw @tiraniddo
Sandbox Winter is Coming! New in October Kernel Release 42 James Forshaw @tiraniddo
DEMO NTFS Mount Point Mitigation Bypass 43 James Forshaw @tiraniddo
Win32k Hardening 44 James Forshaw @tiraniddo
Fonts Are Bad 45 James Forshaw @tiraniddo
Making it Less Bad Disable Custom Font Policy User Mode Font Driver (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy . DisableNonSystemFonts = 1 ; policy . AuditNonSystemFontLoading = 1 ; SetProcessMitigationPolicy ( ProcessFontDisablePolicy , & policy , sizeof( policy )); 46 James Forshaw @tiraniddo
User Mode Font Driver Running as user in AppContainer Only SYSTEM can open process? 47 James Forshaw @tiraniddo
Process Token Default DACL Before September Patch After September Patch 48 James Forshaw @tiraniddo
Thread DACLs Allow User Access 49 James Forshaw @tiraniddo
Recommend
More recommend