Circumventing SRP and AppLocker by design, with SANDBOX_INERT -> new process

Discussion in 'other security issues & news' started by Didier Stevens, Jan 24, 2011.

Thread Status:
Not open for further replies.
  1. RichieB2B

    RichieB2B Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    13
    No exploits are needed. I'm pretty sure Didier's proof of concept Excel code can be turned into a generic "run any exe" tool. Why is it that a proof of concept is always required before people see the seriousness of a vulnerability?

    Didier: can you write Excel code that takes a full path to an exe in cell A1 and executes it, circumventing AppLocker? If I was a better coder, I would do it myself.

    AppLocker does not and will not prevent exploits or malicious code from being run (see in memory DLL loading). It should however prevent the loading of DLL or EXE files from insecure locations by exploits or malicious code (or unprivileged user). AppLocker's whole purpose is to prevent to loading of DLL/EXE/scripts from insecure locations/sources. Microsoft failed miserably at this purpose by allowing unprivileged circumvention of AppLocker.
     
  2. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    I'll add it to my todo list.
     
  3. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    Not exactly, you also have the "scripting language in a whitelisted application" vector, like VBA in Excel. And you don't even have to mislead the target to convince him to execute macros... You can just make him want to execute the macro, as I explained in Frisky Solitaire.
     
  4. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    Yes, it's possible to do this.
     
  5. katio

    katio Guest

    VBA itself is the issue here, like Javascript in a modern browser it should be confined and not not be allowed to call these functions. I think Office needs to be fixed here (AFAIK 2010 isn't exploitable if configured correctly). Or AL could check macros just like it already does with vbs now.
    I'm not sure if MS overlooked this problem. Maybe it's not part of the threat model AL was designed for (users installing their own software) but it leaves a glaring hole for SE attacks. MS needs to take some action here, but it's not removing mentioned "bypasses".

    Fixing these "design holes" wouldn't close the risk that malicious macros pose anyway. Disallow scripting keep your stuff updated, don't rely on anti-executables.
     
  6. RichieB2B

    RichieB2B Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    13
    Thanks for confirming. Can you do this, and submit it to Microsoft as a way to circumvent AppLocker? This will force them to take this very seriously.
     
  7. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    Can you elaborate? Because I've also successfully used some of my spreadsheets on Office 2010/Win 7.
     
  8. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    Oh no, don't expect Microsoft to change this. You are talking about changing some of their functions in the WIN32 API. That is a major undertaking, Microsoft only does that when releasing new versions of Windows, or when they release OS-changing service packs, like XP SP2!

    I have a very small hope that there is a (hidden) setting to disable the effect of these flags in the WIN32 API. My contacts at Microsoft are contacting the AppLocker team.
     
  9. RichieB2B

    RichieB2B Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    13
    I don't expect much, but we got the CWDIllegalInDllSearch registry entry in the end, didn't we?

    At the very least a working proof of concept will show beyond a doubt that AppLocker is useless in it's current implementation. Reactions like those above from katio (no offense intended) show that such a tool is required before this will be understood by everyone.
     
  10. katio

    katio Guest

    Well, can't admins disable macros and prevent users from changing that setting?

    Secondly only "trusted" VBAs are allowed. Apart from being signed it also must be signed by a "reputable certification authority (CA)". I don't think "Didier Stevens" fulfils that requirement as much as I trust you :p
    http://blog.didierstevens.com/2009/01/05/howto-add-a-digital-signature-to-an-office-document/

    source: http://technet.microsoft.com/en-us/library/ee857085.aspx
     
  11. katio

    katio Guest

    But I take offence :mad:
    No, just kidding. But really, AL needs to check macros or Office needs to sandbox their interpreter. I don't see a need to disable said calls.
     
  12. RichieB2B

    RichieB2B Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    13
    Disabling all macro capabilities in all whitelisted applications in order to make AppLocker work the way it is supposed to is not a solution IMHO. Throwing out the baby with the bathwater so to speak..
     
  13. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    A yes, the macro security settings. These were already present in Office 2003. In a default install, Office 2003 applications require macros to be signed. It costs you a couple of $100 to buy such a certificate from a CA, no background checks are performed.

    And you probably know that Office macros are very frequently used by power users in large corporations. Personally, I don't know large corporations that banned Office macros completely. Would kill too many of their business processes.
     
  14. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    I just scanned their web page:

    That doesn't look good. VC++ 6 was introduced in 1998, that's when NT4 was still the major Windows enterprise OS! It doesn't support the necessary switches for DEP and ASLR. Unless the developer uses another tool to set these in his build chain, the binaries won't support DEP nor ASLR.
     
  15. katio

    katio Guest

    In the heat of the discussion I really did lose track of the fact the the POC at hand DIDN'T rely on an exploit...

    Whatever is a "reputable certification authority (CA)".o_O
    /insert rant about the CA trust model


    This sucks. I hope MS will listen, AL needs to block macros as well or it's nothing more than a joke.
    Can you confirm that adding scripting rules in Applocker doesn't do that already? I don't have Office installed...

    Here's something funny:
    http://technet.microsoft.com/en-us/library/bb457006.aspx
    That's what I'd call "incompetent, reckless or stupid"....
     
  16. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    I have Office installed in a couple of my test VMs, I'll take a look later. But I don't expect AL scripting rules apply to VBA. For example, VBA macros don't need to touch the disk. When you start Excel, you can create a new spreadsheet, write a macro and execute it, all without ever saving the spreadsheet. I don't think AL hooks the VB scripting engine (the VB scripting engine is a COM object, the hooking needs to be done in COM, like AV does).
     
  17. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    You can remove all the root CAs you don't want to trust. You could even remove all root CAs, and add your own root CA.
    But I fear this would affect other applications too, like IE. IE needs root CAs to establish HTTPS connections.
     
  18. katio

    katio Guest

    Just checked and it doesn't :(
    So why on earth can an office macro call random exes and dlls? If that was a PDF everyone would be screaming "Adobe fix that exploit".
     
  19. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    OK, thanks for confirming.

    I know, VBA macros are extremely powerful. Not many people realize that. You can call any (WIN32) API from a VBA macro.
     
  20. doc77

    doc77 Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    55
    Thanks for your research Didier! At the end of the day for me, katio is talking about advanced targeted attacks bypassing applocker but I'm sure advanced targeted attacks would bypass anything anyways. Several US government networks have been bypassed and targeted, etc etc. The chances of a skilled hacker targeting your specific machine is remote to nonexistent. Didier also says this isn't in the wild, I have tested over 500 malwares against LUA & SRP and haven't been able to infect it. My point is, its secure enough for me, I'll keep regular backups, safe/boring online habits, and LUA & SRP in tact.
     
  21. katio

    katio Guest

    Targeted attack doesn't equal advanced and high value targets

    See the last two paragraphs: https://www.wilderssecurity.com/showpost.php?p=1817892&postcount=49

    Most of those are due to poor client security. Aurora is a good example. Even Stuxnet isn't what I'd call "advanced". It's a bunch of 0days (you could buy on the black market) and actually pretty "boring" in its design.
    "You are doing it wrong". By Malware you most likely refer to malicious exe files which are used in automated attack. If you want to test your security why not go to 4chan, post your particular setup and ask them to send you some links and files. Make a challenge like "post my secret lolcat image stored on C:/secret.jpg ...
     
    Last edited by a moderator: Jan 25, 2011
  22. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    68
    I checked today. SuRunExt.dll is compiled without support for ASLR or DEP.
     
  23. wat0114

    wat0114 Guest

    Let the posts declaring outrage at this Surun abomination begin. It will no doubt become a prime target for the world's hacker community :rolleyes:
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If you don't behave during the year, Santa may get mad. :D
     
  25. wat0114

    wat0114 Guest

    This will probably serve you perfectly fine. On backup images, ultimately the best fail-safe security measure, I'm willing to bet all those here are at least 10x more likely to use it to recover from a failed h/drive or recover a self-borked system rather than using it to recover from one of these new type malware attacks.

    It's too late for me already :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.