Privexec - Run the program with the specified permission level

Discussion in 'other software & services' started by WildByDesign, Nov 29, 2018.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    From M2Team (https://github.com/M2Team), the developers of NSudo (https://github.com/M2Team/NSudo). I have shared some posts over in the NSudo thread here while Privexec has been in it's relatively early development but decided that it has evolved enough to deserve it's own thread. Privexec is an absolutely powerful program, similar in respects to NSudo.

    Project Link: https://github.com/M2Team/Privexec
    Downloads: https://ci.appveyor.com/project/fcharlie/privexec/build/artifacts

    At the moment, after each code commit, the latest development releases are always available immediately on their AppVeyor page in the Artifacts section.

    Privexec is the GUI version, while wsudo is the command line version. wsudo is great for creating application shortcuts by adding the command line within the shortcuts.

    Privexec (elevated has more options such as Trusted Installer and SYSTEM):
    admin.png

    wsudo:
    wsudo.png


    Next posts I will share some things that I have learned, particularly with the AppContainer launching which is a more recent development.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,344
    Location:
    U.S.A. (South)
    Looking forward to your sharing of results and the experience with it and opinions that might be passed along.

    I admire tools as these in their capabilities for, especially us power users to use to test scenarios and even help where they are of useful benefit to solve some uncertainty we might encounter without them available to turn to.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    To verify some of the AppContainer token details, you can use the latest Process Hacker Nightly builds (https://wj32.org/processhacker/nightly.php).

    For example, let's say you launched notepad.exe within an AppContainer sandbox. Click on the process in Process Hacker, go to the Token tab. In the User section at the top, you can see that it is within AppContainer. The User SID is the actual AppContainer SID. Click on the Advanced button on the bottom right, that opens Token Properties and click on Capabilities tab and here you can view whichever capabilities you have allowed for your AppContainer.

    The developer is currently looking into methods to add Restricted Capabilities which will allow for many more than just the default 12 capabilities that are currently available.

    You can also add a Package.appxmanifest file which contains app settings but also includes a Capabilities declaration section and Privexec will parse and import those.

    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" IgnorableNamespaces="uap mp">
      <Identity Name="c9d8c1c5-2ee3-413a-b446-636587e0eaa2" Publisher="CN=mattowen" Version="1.5.7.0" />
      <mp:PhoneIdentity PhoneProductId="c9d8c1c5-2ee3-413a-b446-636587e0eaa2" PhonePublisherId="00000000-0000-0000-0000-000000000000" />
      <Properties>
        <DisplayName>FluentThemeEditor</DisplayName>
        <PublisherDisplayName>Microsoft</PublisherDisplayName>
        <Logo>Assets\ColorAlgorithmToolStoreLogo.png</Logo>
      </Properties>
      <Dependencies>
        <TargetDeviceFamily Name="Windows.Universal" MinVersion="10.0.0.0" MaxVersionTested="10.0.0.0" />
      </Dependencies>
      <Resources>
        <Resource Language="x-generate" />
      </Resources>
      <Applications>
        <Application Id="App" Executable="$targetnametoken$.exe" EntryPoint="FluentEditor.App">
          <uap:VisualElements DisplayName="ms-resource:AppDisplayName" Square150x150Logo="Assets\ColorAlgorithmToolSquare150x150Logo.png" Square44x44Logo="Assets\ColorAlgorithmToolSquare44x44Logo.png" Description="ms-resource:AppDescription" BackgroundColor="transparent">
            <uap:LockScreen Notification="badge" BadgeLogo="Assets\ColorAlgorithmToolBadgeLogo.png" />
            <uap:DefaultTile Wide310x150Logo="Assets\ColorAlgorithmToolWide310x150Logo.png" Square71x71Logo="Assets\ColorAlgorithmToolSquare71x71Logo.png" Square310x310Logo="Assets\ColorAlgorithmToolSquare310x310Logo.png">
              <uap:ShowNameOnTiles>
                <uap:ShowOn Tile="square150x150Logo" />
                <uap:ShowOn Tile="wide310x150Logo" />
                <uap:ShowOn Tile="square310x310Logo" />
              </uap:ShowNameOnTiles>
            </uap:DefaultTile>
            <uap:SplashScreen Image="Assets\ColorAlgorithmToolSplashScreen.png" />
          </uap:VisualElements>
        </Application>
      </Applications>
      <Capabilities>
        <Capability Name="internetClient" />
        <Capability Name="internetClientServer" />
        <Capability Name="privateNetworkClientServer" />
        <Capability Name="documentsLibrary" />
        <Capability Name="picturesLibrary" />
        <Capability Name="videosLibrary" />
        <Capability Name="musicLibrary" />
        <Capability Name="enterpriseAuthentication" />
        <Capability Name="sharedUserCertificates" />
        <Capability Name="removableStorage" />
        <Capability Name="appointments" />
        <Capability Name="contacts" />
        <Capability Name="internetExplorer" />
        <Capability Name="constrainedImpersonation" />
        <rescap:Capability Name="broadFileSystemAccess" />
        <rescap:Capability Name="inputInjectionBrokered" />
        <rescap:Capability Name="enterpriseDataPolicy"/>
        <rescap:Capability Name="locationHistory"/>
        <rescap:Capability Name="runFullTrust" />
      </Capabilities>
    </Package>

    Particularly of note is the <Capabilities> section at the bottom of that file. That is currently my testing file just for use with testing each of these development releases. Currently, the rescap:Capability (restricted capabilities) are not working. But it is there for testing purposes for when the developer adds support for it. There is an open (technically closed) bug report with conversation and details regarding that part of the feature.
     
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,134
    Location:
    UK
    Can't see which windows version is required on mobile page.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    By default, the AppContainer sandboxed process cannot access the file system at all. Nothing. So this was one of my first challenges. I actually reached out and received help from Google Project Zero's James Forshaw with a command to allow file system access. You need the User SID (AppContainer SID) from Process Hacker Nightly build to do this.

    First of all, you could add directory and file permissions to allow "ALL APPLICATION PACKAGES" access to whichever sections of the file system you want access to. However, this will allow ALL AppContainer processes on your system to access these, not just this one process. This is the most convenient method, but likely not the most secure.

    So what you can do is allow based on just that User SID (which is AppContainer SID). This will allow only the AppContainer processes created by Privexec to access the specified sections of the file system.

    Command from Admin command prompt:
    Code:
    icacls D:\Hyper-V /grant *S-1-15-2-3033654352-1338942568-3396798270-2998646991-2786769206-3332858761-1010262131:(OI)(CI)(RX)
    That command allows that User SID (AC SID) to access anything contained within the Hyper-V directory (and sub-directories of Hyper-V) to be accessed from within the AppContainer sandbox. So if we launched notepad.exe, for example, that is the only folder on the system that this process can save/edit/modify on the system. Unless, of course, the system may already have some sections that gave permissions to "ALL APPLICATION PACKAGES" which is for all AppContainer processes. I think Program Files and others allow this.

    That seems to be the same User SID (AC SID) on my system at least, that Privexec creates for all AppContainer sandboxes that it creates. I don't know if that may be different on other user systems. So if you are testing this, you will have to check that in Process Hacker nightly builds. At some point, possibly the Privexec developer can change it so that the SID is different each time.

    Anyway, that is all for now.
     
  6. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    I wonder if this can be used somehow for security

    Like, running programs with more restricted and tightened permissions and maybe it turns out the program didn't need the higher permissions to begin with, as long as it can do what it needs to do, but that's a bit of a long shot

    Or maybe, running a program with TI permissions so it can write to a folder/file which can be written to only by TI, thus we know the folder/file is secure from anything else since only the given program(s) has TI permissions. But then again, pumpernickel already kinda does that. Not with registry keys tho
     
    Last edited: Nov 29, 2018
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,344
    Location:
    U.S.A. (South)
    Beautiful! Much appreciated. Nice ongoing development of ProcessHacker adding useful features going forward as usual.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Potentially, yes. Although the complexity of, for example multi-process apps, can make this more complicated. I'm still trying to find appropriate apps for testing and see just what might benefit from the AppContainer portion of this program. One of my first tests was to configure Firefox to utilize only one single firefox.exe process (disable e10s, essentially) but sadly Firefox failed to start as Low IL. Some programs may also require use of the Restricted Capabilities which is not yet developed into the program.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    So far, some of the simple, single process apps that I have tested successfully* are:
    * required command from post #5 to allow save/edit/modify for file system permissions

    mspaint.exe (Paint)
    notepad.exe (Notepad)
    win32calc.exe (Calculator - old original Calc)
    wordpad.exe (WordPad)

    Those all worked well within AppContainer sandboxes.

    Later on, I would like to take it up a step and try AppContainer with KeePass (likely the 1.x version that I prefer anyway). My assumption, though, is that KeePass likely will not be able to show it's system tray icon while within an AppContainer sandbox. But regardless, I will test and find out and dig into the permissions further.

    I'm not sure if Chrome's single process mode still is functional or not because, as I understand it, the Chrome dev team no longer supports that. But I will investigate a bit just for the fun of it.

    Another thing that I would like to investigate is media players. Particularly, Media Player Classic (MPC-BE and/or MPC-HC). I would like to try to get those working within AppContainer if possible. Some functionality will likely break though.
     
  10. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Works great, right until you have to actually edit a file... I use Notepad++ but I imagine the same concept applies. You'll have to add the custom SID to your entire drive, so everything is covered. Overall, is it better than giving admin permissions? Probably. But the only time I imagine this difference would matter, is when the process in question gets hijacked and tries to abuse its permissions, otherwise the latter won't matter. And if that happened, then the outer defense failed. So trying to improve the inner defense is like scraping the remains of what's left, when we should instead focus on not getting to that point. Simplicity is best, why make stuff more complex when ultimately the inner defense does not matter if the outer defense does its job correctly. And when the process gets hijacked so that it can use its permissions to do bad stuff, thus the entire point of restricting its permissions as much as possible using this program, then we've already failed. And for everything else, one can always use a VM or a sandbox
     
    Last edited: Dec 1, 2018
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Firefox AppContainer. So I had given up at one point. But after several days, I had realized that I made a mistake (several mistakes actually) with the permissions which is why my initial testing with Firefox never showed any UI and crashed every time.

    Firefox-AppContainer.png

    This is a pretty solid AppContainer sandbox with only the minimal amount of permissions to allow Firefox to run correctly. Everything seems to be fully functional, however, I assume that Firefox Updates would likely fail until I add permissions for that. Otherwise, this is kind of neat and I'm glad that I persevered in this simple testing adventure.

    As mentioned initially, I put Firefox into it's single process mode (disabled electrolysis/e10s) to simplify this testing process. I'll do more testing later to see if multi-process Firefox AppContainers will be able to properly communicate with eachother.


    @Floyd 57 Sorry for my late reply on this. I don't think this is necessarily better. This is just some testing in which cases I like to break things first and fix later. I suppose that is my best way of learning. Make mistakes; fix the problem, and learn.

    But the reality is, when it comes to AppContainer, it would always be best case scenario from a programming perspective to have the AppContainer code and permissions built right into the code base from the beginning. Using an "AppContainer Launcher" type of thing like this is always going to have some problems. Some parts of functionality will likely break when it comes to highly complex programs like browsers. So at the moment, this is just pure curiosity. I don't have a solid use case from this testing yet that is worthwhile to keep on a daily basis. But I do have fun breaking things and figuring it out in the end.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    So I finally had some time to add some additional touches to Privexec and put a little spin on it as well. Since my last posting here, the Privexec developer has added Low Privilege AppContainer (AC) which is essentially a Default Deny everything type of AppContainer. Super restrictive and therefore difficult to use. But anyway, it's there, confirmed and working. I helped by assisting to add 287 Named Capabilities to the UI, including LPAC capabilities. It has the ability to parse 800+ capabilities via the Appx manifest import as well. Lots of assistance from Google's James Forshaw for LPAC and capabilities.

    Privexec-AC-LPAC.png

    Download (and source): https://github.com/WildByDesign/Privexec/raw/WildByDesign-patch-3/Privexec_mybuild 2018-12-28.7z
    Latest official build: https://ci.appveyor.com/project/fcharlie/privexec/build/artifacts

    Please keep in mind that AppContainer sandbox is not very easy to use when it's not built into the program with appropriate permissions, etc. So this is mostly just for testing and fun.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.