Privilege Escalation exploits?

Discussion in 'other anti-malware software' started by Dregg Heda, Apr 3, 2010.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I know that theoretically malware can bypass LUA with the use of these exploits, but in reality how common is this? Can anyone actually provide real world examples of malware which successfully bypasses LUA in this way? Are there any known malware or even POCs which can bypass LUA?
     
  2. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  3. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  4. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for the response guys, it seems to me that privilege escalation is extremely rare and difficult. Those articles are 2,3 and 1 years old respectively. One deals with usermode rootkits and loggers which can be dealt with by AM apps with admin privileges, another requires personal access to the target(at which point all bets are off) and the third applies primarily to servers. Are you guys aware of any malware currently doing the rounds with privilege escalation capabilities (Edit: specifically targetted at non-server editions of windows)?
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dreg Hedda,

    As a shameless policy management promotor I have done some testing on my brother's in law Windows7 x64 machine (on his bare bone Windows 7 OS, don't worry I re-formatted the drive and made sure he got a clean install).

    I dare say that it is safe to run as an Admin Account (no fear of elevation intrusions), with the following prerequisites

    1. Running full UAC (be so smart to set it to max it after you have installed everything), so that is one position higher than the default UAC (which does not kick in on registry changes).
    Benefit: you get an elevation request on all intrusions to the System/Admin space

    2. Running your internet facing applications with Medium rights (IE runs with Lowest rights by default, Tabs of Chrome also run with lowest rights). When running UAC this is realised by default. When you do NOT want to receive elevation request (to PREVENT USER MISTAKES), then setting the intergrity rights to M (Medium), with ICACLS.EXE does the trick
    Benefit: when an application request elevation it is SILENTLY denied, so this excludes user mistakes (normally all internet facing applications should run well with Medium rights)

    3. Applying the deny execute registry trick and use Chrome
    When you change the value, below Chrome is allowed to download a file, but Explorer does not allow it to be executed.
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    add a REG_DWORD rename it to 1806 and give it a hexidecimal value 3, it should show
    1806 REG_DWORD 0x00000003 (3)


    This deny execute ACCESS limitation can be removed by right clicking on a downloaded executable, select properties and select the general tab, on the bottem there is a security block which can be removed (permanently).

    When you use windows ZIP, this marker is even saved when extracting executables from a ZIP-archive (note other archive managers like 7-zip do not copy the ADS marker).

    benefit: you add a selective ACCESS limitation (which effectively acts as a deny execute), which can be removed for files you do want to execute (stops drive by download infections)


    4. As said Chrome is the most elegant browser to use the registry trick with (IE8 even does not let you doenload it, FF seems to download a zero bytes executable). Two years in seccession Chrome was not hacked at the PWN2OWN contest.
    With WIn7 lower objects are not allowed to change higher rights objects. This still leaves the option open for side by side infections. Chrome's sandbox does not allow side by side infections, so in x64 (and in the browser). It is advisble to use the --safer-plugins switch this also sandboxes flash, pdf plugins etc.

    Benefit: add an extra policy sandbox with Chrome which applies stronger policy limitations than Microsoft does.


    Note:
    With the 'normal' features of the OS, chances are also very low in reality


    Regards Kees
     
    Last edited: Apr 4, 2010
  7. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    LUA is good but not 100 percent. no single app is 100 percent. So you can't totally rely on LUA as your only security measure. you need other security app's
    as well without going overboard.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To be honest when you add free facebook PrevX safe online and free Avast (file shield) and siteadvisor for Chrome to the above setup, I think an average user can't go wrong (will never be infected in practise), ergo does not need any security application.
     
  9. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Interesting read MrBrian! But again the article is 3 years old, and it seems that the rise of these exploits have not taken off as the article predicts. It seems to me that so few people run as LUA that malware writers just dont seem to bother coding privilege escalation into their nasties.
     
  10. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Kees,

    Fascinating post as always. I am not currently using x64, but I will assume everything you've posted is equally applicable to x32. I have two main questions regarding the registry trick:

    1) Does it work with Iron?

    2) Does it apply to all executable types or only .exes?

    EDIT: Oh and thanks for the info on UAC regarding registry protection, I was not aware of this.
    Thanks.
     
  11. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Arran,

    LUA is not my only line of defence, but the reason I ask this question is because I am interested in seeing how much protection it gives alone. Also from a intellectual perspective I am curious. For the longest time Ive been against LUA due to privilege escalation exploits. However I recently realised that it was illogical distrusting LUA based on theoretical privilege escalation exploits and so I started this thread to see just how common this vulnerability was in reality.
     
  12. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    I have been running for a long time with LUA/SRP and no real-time security apps. I just have some on-demand scanners to check files I download. Every couple of weeks I run a scan over the system partition with Avira, Malwarebytes and AVZ and they never find anything. It really does work, it uses no resources, causes no BSODs and needs no updates. Things like the TDL3 rootkit or mbr rootkits can't install under a limited account. This is much preferable to trying to find it with a rootkit detector after the fact.

    Of course that's illogical. Just because there are privilege escalation exploits it makes no sense to run as admin and save them the trouble of even needing an exploit o_O

    BTW, this is why it's important to keep the OS and vulnerable software patched. The patches for Blaster and Sasser were out long before the malware, so anyone that got hit with that only had himself to blame. Same for Adobe Reader, Flash and Java.
     
  13. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It's true that in general malware writers nowadays aren't that bothered about trying to circumvent well protected systems.They're just after a fast £ and the simple fact is there's far easier ways to get malware onto the most systems possible,as illustrated by the huge number of rogue AMs out there.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Remember though that by default admin users (except for the Administrator account) in Vista and Win 7 have a filtered token, so a privilege escalation exploit would be useful even in admin accounts in order to avoid a UAC prompt.
     
  15. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    This for me seems to work differently than you describe. I'm using Win 7 Pro with IE8. By default and since installing Win 7, any download will have in the file properties, general tab, an Unblock button.

    1.jpg

    If I do not select the Unblock and apply it but do decide to install the download by clicking it, the app will install without any problems.

    2.png

    It appears that something is wrong with my settings on this. With that thought in mind, I open up gpedit and apply a few settings

    3.JPG

    Risk level is set to high, all file types and then some are added. Me thinks that this is the ticket but it's not. It works to only allow the file/files to appear as though they are downloaded but when the download is complete it will not write it to disk which I'm thinking that it should write to disk and give me the option to unblock through the file properties or at least prevent it from launching/installing. Here's what I get.

    4.JPG

    OK, I can accept that it blocks the writing to the disk of said download. Seems secure enough even though I don't think this is how it's suppose to work. I'm wrong again, it's not secure at all, whilst the dialogs above in the screenshot are still visible on the screen, meaning I have not selected the OK button, I can open the Download folder, cut the downloaded file and paste it any where on any disk and the file will save without the Unblock button in the properties page and the file of course will run without any prompt other than UAC. If I do select the OK button in the dialog, then the file wil not be written to the disk, no download. What's wrong? What kind of dialog warning am I suppose to be getting providing that the download writes to disk? I thought it went like this, download file, click to launch, warning dialog appears giving hint that if one trusts the download, one would have to select the Unblock button.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yup works on x32 to. As far as I know, Trusteer does not work with Iron, but PrevX safe online does (get the face book freebie).
    Works on all types of executables (all high risk files see http://support.microsoft.com/kb/883260 )

    Try to read about icacls.exe it really is a good tool of the OS
    http://www.computersplace.com/icaclsexe-acl-command-line-management/windows-server/
    http://www.symantec.com/connect/articles/introduction-windows-integrity-control
    http://msdn.microsoft.com/en-us/library/bb625965.aspx
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry, when on Windows Pro you must use the Gpedit.msc for it.

    Go to (hopefully translated from dutch to ebglish correctly) User configration,
    Management templates (?), Windows, Internet Explorer, look for something called options, tab SECURITY
    Look for the internet zone may be something like "Start programs and unsafe files", select configure, select deny (not allowed)"

    Note IE8 works dfifferently, it does not allow you to download executables. When you set the default level to high, no file is allowed to down load. So keep this standard ("default risk level attachement" or specify the extentions explictely in the "exclusion list"

    I am not on Win7, my brother in law has a Windows7 Home.

    Regards Kees
     
    Last edited: Apr 4, 2010
  18. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I reset the other to the default settings, I think I found the one you refer to,
    Windows Components>Internet Explorer>Internet Control Panel>Security Page>Locked-Down Internet Zone>Launching programs and unsafe files. I tried every combination and it doesn't work. I also tried it at Internet Zone. Even if I have prompt selected, I get no prompt, If enable is selected with disabled selected in the drop down, file stil launches. All of this is done with the Unblock button still being active in the properties page. Any ideas?
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No I have not,

    Setting it at the internet zone should do the the trick (enable, disallow). Re-boot and try? Are you using IE8 32 bits?

    Only other solution is to re-set all GPEDIT settings to default and try (isolating the problem and try)


    Regards Kees
     
    Last edited: Apr 5, 2010
  20. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    IE8 32 bit. Ah, no reboot, that has to be the problem.
     
  21. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Nah, no go with that either. Here's what I get now

    Capture.JPG

    This must not work for any Pro editions of Windows. In XP it's pretty much the same way, it blocks the download from being downloaded. It seems my choices are,
    1) Leave it at default, which is I have an Unblock button but it's useless because the file will still execute without applying the Unblock button.
    2) Put it back to the way I had it a few posts earlier, again kinda useless since the file will download but will seemingly not write to disk although I can copy/cut the file before accepting the OK in the warning box and paste on any disk and freely launch from there without an Unblock button.
    3) Keep it the way it is now, files won't download, period.lol

    I filtered configured items in Group Policy. I only have two IE related, scan with AV and this one.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Greg

    Congrats, you get exactly what you want.

    As I said
    1)
    On IE8 it prevents download of high risk types (default all executables)
    ON Chrome it allows download
    2)
    When such a file attachement is downloaded, explorer does not allow you to execute it.


    My suggestions: leave the high risk attachments to the default value. That messed up how it works (when you specify additional high risks, you need to specify all the default risks to). Use the BLOCK ON/OFF reg files I added (the txt file) in the one of the earlier posts. Read them again

    the try https://www.wilderssecurity.com/showthread.php?t=261346
    the tested https://www.wilderssecurity.com/showthread.php?t=262475

    Just try a download with swtch OFF, next switch switch block ON, now try to execute it.

    Regards
     
  23. Dogbiscuit

    Dogbiscuit Guest

    The answer may depend on what you mean by "bypass".

    User accounts are a security boundary and theoretically there should be no way to bypass them short of a bug in the OS.

    Third party app vulnerabilities or apps with poorly configured ACLs could allow code to escape a user account and "bypass" a LUA. MrBrian has posted links regarding this in the past.


    I've watched what I believe was a zero-day local escalation exploit trash a password protected admin account from within a LUA a couple of years ago (fully patched system); so yes, I can tell you there are such exploits in the wild.
     
    Last edited by a moderator: Apr 7, 2010
Thread Status:
Not open for further replies.