AppLocker - feedback

I have heard that it can be bypassed rather trivially due to a (seemingly intentional) oversight on MS's part. And that it therefore isn't of much real value. But also have heard it sworn by. And see that it works at the kernel level and not merely user space like regular SRP, and see that as a great thing otherwise. So I'm conflicted here as to whether to go with Win7 Pro or Ultimate.

Can someone give me specifics about this "flaw" in lehman's terms? What does it take to pull it off?... physical access to my machine? Because if so it doesn't matter much at all to me.

Also, what does it mean regarding the Pro version that you can create policies, but not enforce them? Am I missing something, or is that as completely pointless as it sounds to me? Is it just to give you an idea of how it would works, had you gotten Ultimate instead? Like a sales pitch?

 

Im no means an expert in circumvention techniques, but i believe you are referring to MS Applocker Patch KB2532445. I do know however one of techniques used to bypass Applocker is to load Dll's from memory via a script.

The following address briefly discusses the bypass techniques hxxp://support.microsoft.com/kb/2532445

On the other hand when i was using Applocker, i spent a lot of time creating my rule set only for it to become a hassle keeping it updated, installing uninstalling of programs, incompatibility with programs etc. I found myself referring to Task viewer for error logs.

I since then discovered "Mr Brians Rulset" here on Wilders and it has, along with KB2532445 been very effective,compatible and hassle free with my system.

In regards to Pro Versions or Ultimate i believe Applocker rules can be created in the Pro version of Windows but can only be enforced in the Ultimate or enterprise versions.

There was a Thread started here a while ago.

hxxp://www.wilderssecurity.com/showthread.php?t=321479

 

https://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7
https://www.wilderssecurity.com/showthread.php?t=357136

 

So you're saying that situation has been patched now? Also, wouldn't something like EMET prevent a scenario as you described from happening? Also there is often memory & shellcode mitigation built into HIPS. But that'd be kinda redundant to use a HIPS to help harden AppLocker. I'd just use Pro then and a HIPS instead, which is the way I'm leaning at this point. It just seems more granular, comprehensive, and more powerful period than AppLocker. That and I just find it harder to trust MS's integrated tools, that they don't have backdoors or whatnot in them.

And I'm aware that in Pro you can only create policies but not enforce them... that's what I said. What I want to know is... doesn't that make it essentially useless in Pro? What possible reason would someone have to even use it then? Just to see what you're missing by not having Ultimate? Or am I missing something here?

Thanks for the links.

 

Oh, and I'm talking about the vulnerability mentioned in these 2 links:

http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/

https://www.wilderssecurity.com/showthread.php?t=291467&page=2

There never was any mention that a Windows update ever was released for it for in that thread. Just that you had to request a hotfix for it and they'd email it to you... which I find pretty ridiculous for such a major flaw. I hope it has been addressed in an update by now... possibly the very one you mentioned?

 

Unfortunately i believe Microsoft has never officially patched it via a windows update. You are correct in saying that the patch has to be requested and emailed to you. It was like that back in 2010 when i think the vulnerability was first discovered. Pretty lame actually, quite a floor by design. But how many potential viruses worms etc are designed to use this bypass technique? Applocker will still prevent a large majority of infections even without the patch. But I guess MS never really considered it to be a viable security option.

Im not sure if EMET would protect against it. Doesn't EMET only mitigate scripts if a program initiating them is put under its guard? Maybe someone a bit more knowledgeable can have an input?

I agree that there is no point in trusting MS internal security and any HIPS will do a far more superior job than Applocker and cover a larger spectrum, hence why iv haven't used Applocker for a long time, and am unaware if this KB2532445 has been released under another KB via windows update or part of SP2 update.

In regards to windows versions, sry misread your post. Good question, i have no idea why that is. Professional might be geared towards small business that require SRP but not the extra management features of applocker but i have no idea the logic to create them but not enforce them. Maybe to differentiate versions as Applocker supersedes SRP in terms of management geared towards enterprise.

Thanks for those links. Im by no means an expert but interesting indeed, but its still initiated by a script in excell isnt it? I believe then the script loads LoadLibraryEX in memory. LoadLibraryEX consists of various instruction sets or modules one of which is instructed to bypass authorization using LOAD_IGNORE_CODE_AUTHZ_LEVEL or by module LOAD_LIBRARY_AS_DATAFILE

See

hxxp://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx

See the following quote from the above link.

"If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies for the DLL. This action applies only to the DLL being loaded and not to its dependencies. This value is recommended for use in setup programs that must run extracted DLLs during installation.
Windows Server 2008 R2 and Windows 7: On systems with KB2532445 installed, the caller must be running as "LocalSystem" or "TrustedInstaller"; otherwise the system ignores this flag ".

I guess the above also explains the deliberate hole.

 

For all the protections "only" on the part you list apps, like ROP mits, Heap Spray, etc... yes. But I was thinking system wide DEP or ASLR could beat it, namely both together. But looking at one of those threads that theory was shot down too.

I can't believe they haven't patched this yet. And I wouldn't hold onto much hope that it will be in a SP2. If it were a priority they wouldn't wait around like that. Plus new SP's are mainly just roll-up's of all the updates since the last SP. There's never much new stuff in there.

Patched up/hardened it could still be a handy tool, since it operates at the kernel level. You could whitelist your apps with it, allowing them only the ability to run or not. And use a HIPS to fine tune exactly what they can do too. So after thinking about it it's really not that redundant, AppLocker could be seen as hardening a classic HIPS even. So I'm starting to talk myself in to going with Ultimate a bit here.

Fortunately I use a Dell and their reinstallation discs can be found dirt cheap, and it doesn't ask you for any license key when you use them to install the OS. I think I might buy 4 different ones (Pro & Ultimate, both 32 & 64 bit), and try them all out. Even though I really don't plan on going x64 as of yet, I always like to try things out of mere curiosity.

 

-http://technet.microsoft.com/en-us/library/ee844118(WS.10).aspx

Correct:

-http://support.microsoft.com/kb/2532445

emailing for them is no big deal. MS doesn't ask for personal info.

 

I'm not a programmer... how would an attack using that vulnerability look in practice?
I only know one example, where you need to have MS Office with macros installed (and I guess then you'd open a malicious document).
Is this the same or is there some other way?

 

That's the only scenario I ever see brought up too looking through those threads, in regards to an actual real world situation. The rest theory, "it could do this", etc... but no practical examples out there to be heard of.

It's simple enough to get that patch it seems... but that's not really the point. Maybe it's a subjective matter or principal type deal to me. But I think this situation merits a bigger response than that. Or maybe the word responsibility fits better.

 

As a side note, SecureAPlus anti-exe seems to have protection for the mentioned Applocker hole as per sinlam's posts.

https://www.wilderssecurity.com/showpost.php?p=2288575&postcount=401

https://www.wilderssecurity.com/showpost.php?p=2288899&postcount=408