applocker poc bypass (but no code)

Discussion in 'other security issues & news' started by katio, Nov 18, 2010.

Thread Status:
Not open for further replies.
  1. katio

    katio Guest

    Oh, so you say it's possible to do a staged attack but still keep it in memory only. No idea how that could be done but sure sounds scary.
     
  2. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    He has a new tool to mitigate heap spray attacks... http://blog.didierstevens.com/2010/12/06/heaplocker/

    I am excited for the upcoming PDF dll loading from memory POC to test his very own Heaplocker.
     
  3. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    I had a interesting read.... just wondering what we can do/use to prevent this. Could AppGuard detect this?
     
  4. katio

    katio Guest

    Going by the not very detailed bullet points on their site (http://www.blueridgenetworks.com/products/appguard.php) it doesn't look like it could prevent loading a dll from memory. But it looks quite effective to block whatever a malicious dll would try to do after it got loaded. Therefore, yes, it would detect it, just not directly.
     
  5. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    Is there some ways to harden (Vista 32bit) the system besides any other programs that wouldn't let this get by?
     
  6. katio

    katio Guest

    Applocker and SRP are available (even if you don't have Ultimate, there are some threads here to show you how). Even though it doesn't stop the dll from loading it can still mitigate an attack.
    EMET, it's not built in but it's a free download from Microsoft. You can also manually set DEP, ASLR and SEHOP to always on/opt out manually. Though be advices this may cause problems with incompatible software. Also EMET adds even more protection.


    Anyway, just in case you missed it, this is nothing to realistically worry about. There is this POC and some theoretical talk but no single malware has used it yet - as far as we know.
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    Yes, I understand that but I'm sure eventually it will surface some where.

    I read a little about EMET and it says it can cause problems with incompatible softwares; which I don't know what those would be I guess until I tried it.

    It's frightening that SRP can be by passed so that's why I started asking questions so I can take further precautions. It's scary what this stuff can do.

    I do have DEP but no ASLR, SEHOP, EMET.
    Any tips or tricks you have about the suggested above would be welcome.
     
  8. katio

    katio Guest

    I have EMET configured to leave the global settings default as they are (all 3 are opt-in) and added full protection for those applications that handle untrusted data:
    Browser, Office, media players, pdf viewer
    Not a single problem with incompatibilities so far.

    In case one program keeps crashing on you or throws up an error you disable one checkbox at a time till you found the culprit.

    It's really easy to use since they released a GUI for it.
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
  10. katio

    katio Guest

    Yes, that's the link.
     
  11. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    Thanks, I will give it a try. I read a article that SEHOP is for Vista SP1 only and ASLR is on by default in Vista. I'm going to try EMET now and see what happens.
     
    Last edited: Dec 18, 2010
  12. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    You nailed it.

    Our approach is simple. It's the applications that cannot be trusted. There are an infinite number of potential malicious DLLs. Rather than pick out the good from the bad, place the respective application 'under guard' so it can do no harm if ever one of the 'bad' DLLs gets used.

    Cheers,

    Eirik
     
  13. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Excel Macro testing done by SSJ100 using Didier Steven's digitally signed macro and able to run PE executable code directly in memory... -http://ssj100.fullsubject.com/t319-excel-macro-testing


    SRP, Applocker, Faronics Anti-Executable 2, Comodo(default), Online Armor(default), Malware Defender(default), Returnil's AE component, AppGuard, Prevx, Mamutu, BluePoint Security and ProcessGuard were all bypassed.

    Sandboxie, DefenseWall and Geswall, all passed. :thumb:
     
    Last edited: Dec 29, 2010
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not quite; they did contain it, though, as in it wouldn't be an irreversible situation. Just like Sandboxie, which the access/run restrictions were bypassed.

    Still, better being able to reverse, than not being. ;)
     
  15. wat0114

    wat0114 Guest

    Can you please link to where ssj stated Applocker was bypassed?
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not sure if one could say that. Didier Stevens mentioned before:

    So, by design is outside AppLocker's protection scope. Not really being bypassed, I'd say?

    If I'm interpreting it wrong, then I apologize.
     
  17. wat0114

    wat0114 Guest

    No apologies needed. I was asking trismegistos :) ssj100 only seems to indicate it might be possible to bypass, but Didier Stevens says Applocker runs at kernel level so maybe not. i will ask ssj if he can send me the POC so I can test on my setup.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, that also is a bit confusing to understand, on whether or not AppLocker would stop it. I say this, because if it's outside of AppLocker's protection scope... would it running at kernel level... stop it?

    One is always learning, uh? lol
     
  19. wat0114

    wat0114 Guest

    It will sure be interesting to see if I can get my mitts on the poc :) I also find it a bit confusing to understand.
     
  20. katio

    katio Guest

    I think we already established in previous discussions how Applocker can not by design protect against this sort of "exploit", just like AL and SRP never blocked shellcode from running in the first place. Loading from memory is something legitimate programs do all the time, from that point of view it's not even an exploit. The exploit is what happens before (buffer overflow in most cases) and that's where you have a chance in blocking it. After shellcode running successfully with the host application permissions your only bet is isolation through least privileges, MAC or sandboxing.
     
  21. wat0114

    wat0114 Guest

    Could very well be true, but then why up until now has no one posted screenshots of this poc bypassing AppLocker? If they have, can you please link me to them? Thanks!
     
  22. katio

    katio Guest

    Because
    1) no POC is available publicly (? - last time I checked at least)
    2) AL isn't deployed much compared to other solutions (it's Vista up only and marketed as a lock down business workstations kind of software, not a security solution)

    There is absolutely no question about it being bypassed or not, it's obvious from how the "exploit" works and how AL works that it won't even try to stop loading a dll from memory.
    That's not to say that protection against it couldn't be added in future versions of Windows/AL if this kind of attacks take off in the wild. I wouldn't count on it however (see point 2).
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Microsoft seems to disagree with you. If its task is to lock down systems against unauthorized software installations, I'd say that malware would fit in this description, no?

    etc...

    Source: http://technet.microsoft.com/en-us/library/dd548340(WS.10).aspx

    That would be the same as saying SRP never had such in mind. Microsoft even had/has (I didn't look for it) an article regarding SRP and how to use it to prevent malware.

    It makes all sense for such technologies to be used for preventing malware, because malware is software.
     
  24. katio

    katio Guest

    Trojans, rogue codecs, p2p apps, that all still fits that marketed image.
    What I meant by security solutions is protection against 0 day exploits, drive by downloads, malicious pdfs on private systems (that all use droppers or malicious dlls on disk).
    MS never advertised that SRP and AL are very effective against these threats, instead they released MSE for the general public and let the Wilders user figure out the rest :p
     
  25. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I have Applocker enabled on my PC and the officekat.xls was able to bypass it.

    But I had to enable macros , after a security warning about the certificate issuer to do it.

    Still very interesting.

    (Added screenshot).
     

    Attached Files:

    Last edited: Dec 29, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.