Test to see if browser has admin rights

Discussion in 'other security issues & news' started by pepperer, Jan 16, 2008.

Thread Status:
Not open for further replies.
  1. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    I have a Firefox extension that shows what level of user rights Firefox currently has. Normally I use DropMyRights to launch Firefox so normally the extension shows "less than admin". But when I launch FF with DMR and Sandboxie the extension shows that FF has admin rights. So it appears that Sandboxie is preventing DMR from working.
    I couldn't find the cause of this so I posted it on the Sandboxie boards. No one knew why but one guy said that he thought that maybe the extension is mistaken and FF is actually running with below admin rights.

    At this point I'm trying to find a way to test FF to see if it is running with admin rights or not.

    Anybody know how I can do this?
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi, I do the same thing with DropMyRights and Sandboxie. I check using Process Explorer, right click firefox.exe then properties and then look under the Security tab, then look at BUILTIN\Adminstrators and it should show Deny,Owner under flags if it's running with limited privileges.

    Process Explorer is on demand only and it's like a super task manager. http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
     
  3. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    Thanks innerpeace. I have Process Explorer (although I've never really used it much). Now I can't seem to get Sandboxie to launch FF using my DMR/FF icon. And I've forgotten how I did it in the past. How do you launch your DMR/FF with/in Sandboxie?
    Do you have the IsAdmin extension?
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    The icon I created has this as the target (quotes included).

    "C:\Program Files\Sandboxie\Start.exe" /box:DefaultBox "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\Firefox.exe"

    I'm using the free version so the DefaultBox part may have to be changed if you have the paid version or have changed Sandboxies settings (I'm not 100% sure though). You can also right click the icon you already have and the click Run Sandboxed. You can actually do that with any program.

    I just found out tonight (thanks to your question) that Process Explorer can run a program with limited rights. Click file and then choose Run as Limited User and then go from there.
    http://blogs.technet.com/markrussin.../02/running-as-limited-user-the-easy-way.aspx

    Let me know if the target I posted above has a smiley in it. I disabled smilies so I hope it's not there.
     
  5. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    Thanks innerpeace. It appears that there is a flaw in the IsAdmin extension because according to Process Explorer when DMR is used with FF in a sandbox, the rights are reduced. That's good and good to know.
    btw: no smilies
    Thanks again!
     
  6. tlu

    tlu Guest

    You better do NOT use DropMyRights. See post #14 in this thread. A limited user account is a better solution.
     
  7. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    Interesting, thanks tlu. I wonder if any 3rd party anti-malware programs would prevent this exploit from executing. Anyone know?
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi, can these special windows messages be prevented? Perhaps by disabling a service? Can these messages be sent outwards from within Sandboxie? And how common are these types of malware that use shatter attacks?

    I understand that a limited user account is stronger and better and I'm seriously considering trying one again thanks to you and a couple others that are keeping the subject visible. I just want to know the facts of how common these malwares are and if it can do it's deed within Sandboxie. Even if it can, I have a couple more security apps that it would have to deal with.

    Thanks,
    innerpeace
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    I would also like to know about malware using this technique, and I´m not sure if SBIE is vulnerable to this attack. Also, AFAIK both ZAP and Neoava monitor "window messages" so they should be able to prevent this. But of course I agree that running in non-admin mode is the better solution.
     
  10. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Rasheed187 and thanks. I also agree that running in non-admin mode is better, but I'm hoping for some real facts. It's interesting what you said about ZAP and Neoava, I wonder if OA2 can do the same thing? I keep hearing people (not you) saying not to use DropMyRights with no real facts to back it up. I tend to believe using it is better than not using it at all.

    If this type of malware can't maneuver through Sandboxie and my other security apps, then I'm not going to worry about it. If the malware is just a POC or isn't that common, I'm not going to worry about it. Is Firefox or Winamp running with DMR and Sandboxie vunerable? If all my software is updated am I ok regardless? In other words, does a shatter attack need a vulnerability to run?

    I'm eventually moving to a LUA after recently trying linux, but for now, I'm comfortable with my setup while watching more and more software becoming compatible with LUA's.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    I tested with IE7 and Online Armor's Run Safer which does the same thing as Drop My RIghts. I was using the Killdisk trojan. I tested outside of Sandboixe as I know Sandboxie already prevents Killdisk from acting. I set IE7 to Run Safer, and then opened IE7 and using the open command executed the Killdisk trojan from with IE7. It was unable to do it's thing.

    So at least for OA Run Safer, it worked as advertised.

    Pete
     
  12. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Pete and thanks. I'm aware of your tests and your part of the reason I keep on using Sandboxie :).

    The only problem I have is when I run FF or IE using Run Safer and start them in Sandboxie, they don't appear as deny-owner within Process Explorer. That is the only reason I'm using DropMyRights instead of OA's Run Safer. I posted about this awhile back on OA's forum under a different user name. I'm not sure who's to blame (for lack of a better word) here, but my work-a-round works fine and I'm ok with that. I'm not even that sure if it's even important to run DMR and Sandboxie together. If DRM helps a little, I will continue to do it.

    I just wish I could find out more about how vulnerable a person is using DMR or Run Safer. I'm sure these types of attacks will increase because of Vista's default usage of LUA, but what about now.

    innerpeace
     
  13. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    From what I've read, Vista isn't vulnerable because it doesn't allow programs to message each other, or maybe just not message each other directly (I can't remember which it is now). Anyway, maybe this type of attack won't increase since the number of vulnerable machines will be declining...
     
  14. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Yes, your are right. I was reading the same thing last night in the other LUA threads.

    I've been busy cleaning a relative's XP home computer the last 2 nights and I'm hoping she gives me the ok to set her and the kids up with Limited User Accounts. It may be the only way I can save them from themselves.
     
  15. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    I tried running as a limited user for a little while but it was a major pain. Since then I just use the best layered security I can use (for the least money) and I feel mostly safe. And I'm ready with a good Ghost image should anything ever happen.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    When I tested IE executing the Killdisk trojan, I deliberately started IE outside of the Sandbox. I know Sandboxie will block it I wanted to test Run Safer. I've noticed some odd things running sandboxed. For example OA doesn't record the websites when the browser is sandboxed. I just assume it's because the sandbox has blocked the communication, and don't worry about it. The main reason I have IE set to Run Safer in the first place, is there are one or two special things like the Netflix on line movies, that don't tolerate the browser being sandboxed. I like the lower rights for them.

    Pete
     
  17. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    An external hard drive and images are a new addition for me. It is nice knowing that if something goes wrong, you can always get going again fairly quickly.
     
  18. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks Pete. That makes sense why you need to use Run Safer. It also seems as if OA and Sandboxie don't step on each other's toes. They sorta do there own thing lol. I'm not sure why Sandboxie won't run a program as Run Safer. Perhaps Sandboxie gets to it first which really doesn't make sense if you see the shortcut I posted at the beginning of the thread.

    Anyways, it's good to know that Run Safer and Sandboxie do there job against Killdisk.

    innerpeace
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    I´m not sure if OA2 monitors this, and I´m also not sure how these shatter attacks exactly work, perhaps someone with some more knowledge can comment on this. AFAIK, malware who´s executed via IE (through some security hole) will have the same limited rights as IE, so normally they will have difficulty to do any damage, or to install themselves correctly.

    This might indeed be the case, it´s probably because the process is already controlled by SBIE, so OA doesn´t get a chance to strip the process from admin-rights, this isn´t the case with DRM and SRP.
     
  20. tlu

    tlu Guest

    I'm not aware of existing malware in the wild that tries to undermine DMR (which doesn't mean that none exists). Nevertheless, there are scenarios in which applications, which were started with lower rights, can break out from this security context and gain admin rights. And don't forget that there is at least one other process (namely explorer.exe) permanently running with admin rights which would be an an easy target for malware using Windows messaging. It's a fact that this is design weakness in the Windows NT series up to XP which was finally abolished in Vista. BTW: An interesting read is also http://blogs.securiteam.com/index.php/archives/188 .

    But probably more relevant is this argument: Even if you started, say, IE with lower rights there is always the danger that another instance of the browser is started indirectly by a casual click e.g. through local URL- and HTML-files and hyperlinks in Office and mail applications (DOC, XLS) or help files (CHM). These instances run with admin rights ! - and you probably wouldn't notice.

    Absolutely, but the arguments above make DMR at least rather problematic. All things considered, a limited account is definitely the better solution. And it's very easy and comfortable if you use SuRun. It's a myth that most applications don't work in a limited account - as a matter of fact most applications (unless they are several years old) DO work flawlessly. This is also true for most HIPS or firewalls (e.g. OA, SSM and CPF). And if you really happen to use some badly programmed games or whatever that need admin rights you can easily start them via SuRun just with two mouseclicks.
     
  21. pepperer

    pepperer Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    28
    Thanks for the info. Very interesting. However, running Firefox with DMR, this does not seem to be true:
    If I have a FF window opened, subsequent FF windows opened, no matter what method I use to open them, inherit the original window's credentials.
     
  22. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi Guys,

    Tlu - Thanks for the great info., but can you please explain this:

    I have Thunderbird start via DMR, I click on an email link which opens FF. FF should also be lower rights, as its parent Thunderbird was started with lower rights. I believe this is correct.

    Likewise if I start FF using its DMR shortcut, any app. started during that session should also be lower rights. As the parent FF was started with LR all child/daughter apps should be LR as well.

    Thanks & Take Care
    Rico

    PS see article at cnet

    http://blogs.cnet.com/8301-13554_1-9761472-33.html

     
    Last edited: Jan 30, 2008
  23. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks for your reply Thomas, it's much appreciated. I looked over the links you posted and was able to understand some of it. From what I gather, it's important to keep all your programs updated to lessen vulnerabilities and don't install anything that is not trusted. And yes, it appears that XP has a bad design flaw. If you do hear of any malware that does try to get past DMR's, I trust that you will let us know.

    While this doesn't effect me as much as it does others, it is a valid argument.

    DMR is still useful to some and the recent discussions point out it's possible weaknesses which is always good to know. DMR as your links point out is also backwards thinking in that it strips rights rather than having limited rights to begin with. I also have no doubt that more and more apps are becoming compatible with a LUA. I've been considering trying a LUA again and I have a feeling that it will happen sometime this year. I wish I could get my sister and her children to use LUA's as there machine is infected again :ouch:. Thanks again!
     
  24. tlu

    tlu Guest

    Yes, I understand that. What I meant was: Let's say you start a document with Word/Excel or OpenOffice or a help file in the CHM format that contains a URL and you're NOT in DMR. Clicking the URL would definitely cause your browser start in admin mode. I'm not sure if this is the case if an instance of your browser is already running with DMR (pepperer's post #21 suggests that it's not) - I tested DMR quite some time ago and cannot remember all details. It's also possible that Microsoft changed it somehow in the meantime.
     
Loading...
Thread Status:
Not open for further replies.