Windows XP turns 20: Microsoft’s rise and fall points to one thing — don’t fix what isn’t broken

Discussion in 'other software & services' started by mood, Oct 25, 2021.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    No correct, but you claim that setting UAC to ''never notify'' will weaken the sandbox, IMO this is completely false.

    That's why I said there is a difference between exploit code and the malware it's trying to run. Hackers will be able to bypass the built-in sandbox in Chrome and Firefox no matter if UAC is set to high, medium or never notify level, it won't make it harder or easier for them to execute the exploit code, see link.

    VUPEN was able to exploit the Chrome sandbox, causing to launch calc.exe with medium IL, regardless if UAC was set to high, medium or never notify level. And obviously, UAC wouldn't have alerted about this attack, since calc.exe runs with medium IL and there is still plenty of malicious stuff that malware can do with medium IL, think of code injection, keyboard/screen monitoring, data exfiltration and data encryption, just a reminder.

    https://www.ghacks.net/2011/05/10/google-chrome-sandbox-hacked/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    Exactly, UAC comes into play only if malware is trying to get high IL, after breaking out of the sandbox. Assuming that hackers aren't able to bypass UAC, then UAC will pop up. Actually when you think about it, UAC is basically a dumb execution blocker of processes requesting admin rights.

    While tools like HMPA, MBAE and OSArmor try to block malicious processes, no matter if they run with medium IL or high IL. And without annoying you with alerts triggered by legitimate apps. That's why I see UAC as an extra lock on the door, but it's sadly enough way too annoying.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    Yes exactly, I was able to stay safe on Windows XP without UAC, so I have adopted the same security strategy on Win 8 and 10. While I'm not a fan of UAC, I do think Mandatory Integrity Control was a great feature that Win XP lacked, because it made it more easy to build application sandboxes, like the ones found in Chrome and Firefox.

    It also allowed Sandboxie to be redesigned without having to rely on kernel mode hooking which often made Win XP unstable, especially when running multiple security tools. But anyway, I don't see how setting UAC to ''never notify'' weakens the Chromium or Firefox sandbox, and I have already explained why, because that's what started this discussion.
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,168
    Location:
    USA
    That is pretty much entirely what it is. It prompts you any time admin access is required be it executing or writing to a protected area.

    I still wonder why it would be seen that often after a machine is set up and the normal software installed. I see it pretty rarely and I am a network admin.
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,563
    Location:
    Member state of European Union
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    True, as long as there is some sort of 3rd-party security that alerts to unauthorized attempts to elevate, otherwise it could be a problem to set UAC to "Never Notify".

    Same here.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    I've had contact with a Chromium dev, and setting UAC to never notify does not affect the sandbox.
    But I wasn't that far from the truth either. The sandbox does depend on the UAC service for security. When a process requests elevation, the UAC service does not only check the requests, but also other properties such as access tokens. The sandboxed processes have a restricted token. The UAC service only allows requests which want to elevate their IL only. Not both change IL and token, so the request from a sandboxed process will be denied.
    However flaws in the UAC service could be abused, for example in this sandbox escape: https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    More interesting UAC behaviour. Thanks for posting!
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    I'm not sure what you mean with ''not that bad''. But what I was trying to explain is that setting UAC to ''never notify'' barely lowers security while improving convenience quite a lot when running as administrator. Of course as mentioned before, it's recommended to secure the system with (third party) tools that can mitigate exploit attacks.

    You also must not forget that probably 99% of all users don't even understand why they get to see UAC alerts. All they know is that if they don't click on yes, they won't be able to run apps. So even in case of some malware attack taking place, it's likely they will still allow malware to run, because that's what they are used to. Some people might even call this a false sense of security.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    Cool, but to me it only matters if UAC plays a role or not when it comes to sandboxing browsers and it doesn't. With that I mean, it doesn't matter on which level the UAC slider is at. I didn't understand 70% of the article, it's way too complex, you probably have more knowledge in this area, but I don't understand how this article proves that you're not far way from the truth? It's about abusing a flaw in the UAC service, but seems to me that this was exploitable no matter if UAC was set to never notify, medium or high level, correct?
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    I guess it depends on the user, some may find it annoying, others do not.

    I try to minimize alerts as much as possible. That's why in recent years I have stopped using EXE Radar, I got tired having to approve app install, similar to UAC. I have also switched to TinyWall, to avoid all of those pesky alerts about outbound connections. And I have configured SpyShelter in a way that lowers the amount of alerts.

    BTW, these are a few apps that will trigger the UAC alert because they obviously need admin rights in order to function correctly. I can't imagine to keep having to approve them even if it's only once a day LOL. Keep in mind these apps are already installed.

    Process Explorer
    AutoRuns
    Geek Uninstaller
    NVT Connections Viewer
    Win Update Stop
    Wise Disk Cleaner
    Secure Folders
    ConfigureDefender
    O&O ShutUp10
     
  12. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,410
    O&O shutup 10 only triggers UAC when you need admin privileges for some settings. However it can still function on a standard account without triggering any UAC alert, though the options will be limited to the current user
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    I meant with that the fact that the sandboxing is still dependent on UAC(I don't mean the slider) and UAC does play a role in allowing elevating(or denying in this case, as it is denied because of the restricted token) from a low IL sandboxed process.
    The article is very technical for me too. In the article was a separate link about the details of the flaw in the UAC service:
    https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html

    It looks like to me, in this case with UAC slider at default settings, there is no UAC prompt, but I'm not sure if setting it to maximum would. It would differ on the type of flaw I guess.

    Yes, the broker process. But the sandboxed processes, which handle the actual web content, have low IL.


    I'm guessing he means it in a Standard User Account context. If you set UAC to never notify while logged in as SUA, instead everything being automatically approved, everything is automatically denied.

    You could also set scheduled tasks for them once, and then never have to approve them again.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    I'm sorry to say, but this article doesn't proof anything. The discussion was about whether disabling UAC would weaken sandboxes and it clearly does not. This article was about some Chrome sandbox escape, abusing a flaw in the UAC service, but it would have worked no matter if UAC was disabled or set to the highest level. The only thing that weaken sandboxes are flaws in browsers and OS.

    OK I see, that's why I was confused because this discussion was clearly about if it's a big deal whether you disable UAC or not when running as administrator, in my view it's clearly not. But of course when you're running in SUA you can't complain about UAC.

    No thanks, I would rather not see any UAC alerts at all, to me it plays no big role when it comes to securing the system. It's a dumb process execution blocker, it would have made more sense if UAC only popped up when something truly fishy was going on, but it's probably too hard to make it work like this. But for people who want to make UAC less annoying, there are a couple of tools, see link. Use at own risk, I haven't tested them on Win 8 and 10.

    https://www.raymond.cc/blog/task-scheduler-bypass-uac-prompt/
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    There is Surun as well:

    Kay's Mustard » SuRun (kay-bruns.de)

    I'm surprised to see a Windows 10 version. Some years ago it looked like development had stopped from Windows 7.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    BTW, here is another article where it is explained a bit more simple, it was actually quite hard to escape Chrome's sandbox, he had to combine multiple flaws, see first link.

    However, there is something that I don't understand about RCE, perhaps you can ask this to the Chromium developer. It seems that on hacking contests like Pwn2Own and Tianfu Cup they are willing to pay up for RCE's without sandbox escape. So I wonder, is it possible to run malware inside a browser's sandbox?

    Because as seen in link 2, calc.exe couldn't be launched without disabling the Chrome sandbox, so what's the point then? He even got payed $100.000 for this exploit. Or perhaps this still can be used for in-memory malware who don't need to drop any files to disk, but ony need to steal cookies and browser passwords?

    https://www.bleepingcomputer.com/news/security/window-10-update-weakened-google-chromes-security/
    https://www.bleepingcomputer.com/ne...dge-zero-day-vulnerability-shared-on-twitter/

    https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html
    https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Again, that was not my point, and the article was not to prove anything but just extra information as an example. Also the discussion was broader than that, but your interest was merely whether setting UAC to never notify weakens the sandbox. And again, disabling UAC is not the same and will likely have more consequences than setting UAC to never notify.
    It is also not clear whether the flaw in the article could have been abused with UAC on the highest level, though it was the case for the default level, so if you set it to never notify instead of default, then it will not make a difference.
    In second article I posted, the article refers to UACME for having another exploit which is similar because also uses UIAccess as an attack vector, and when I looked that up, I found that setting UAC to the highest level does protect against UACME.

    Yes, it clearly states remote code EXECUTION and "were awarded $100,000 for leveraging the vulnerability to run malicious code inside Chrome and Edge."
    Apart from the stealing information from the browser, if combined with a privilege escalation exploit in Windows, you could escape the sandbox, so perhaps that's why they pay that much. I also suspect it can do more than just stealing information out of the browser, because A: When I read about vulnerabilities that allow for stealing cookies and passwords from browsers, it never seems you need to execute code inside the browser for that, and B: if you look at the prizes paid (https://www.thezdi.com/blog/2021/1/25/announcing-pwn2own-vancouver-2021), they have escaped the renderer already so they even though they're still restricted by the sandbox, they probably have more rights, maybe running inside the broker process with medium integrity. I'm not sure what rights are all stripped and revoked with the different aspects of the sandbox, but normally the most dangerous ones like writing files and executing code are blocked, but reading files is another matter and more difficult to restrict because the program needs it to function properly. This is speculation, but it could be that while they are not able to execute something unrestricted, write to system files to alter them with something malicious, encrypt files, or get higher rights etc, that they were able to read user files like documents, saved mail etc.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    @Rasheed187

    I navigated to the second of four links (https://www.bleepingcomputer.com/ne...dge-zero-day-vulnerability-shared-on-twitter/)
    you posted in #141, and noted the following:

    Javascript can be blocked by SRP or similar, or other anti-exploit tools such as OSArmor.

    Why would they deliberately weaken the browser by disabling its sandbox?

    I kind of feel like I posted about this some time ago :doubt:
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    I now understand you a bit better, but that extra information wasn't relevant. Bottom line is that when UAC is on medium or high level, it doesn't make any difference, hackers will be able to get RCE and bypass the browser sandbox, which will allow them to run malware with at least medium IL.

    It's only then when UAC comes into play, because if they can't bypass UAC, then it will obviously block the malware from getting high IL. Also, it's still not clear what you guys mean with ''disabling UAC'', how do you completely disable UAC on Win 8 and 10? I couldn't find anything about this, do you need Windows Pro for this?

    http://woshub.com/user-account-control-slider-and-group-policy-settings/

    Thanks for the link, quite interesting. And your explanation does indeed sound logical, too bad that this stuff is almost never explained clearly. My guess is that in practice hackers will need a sandbox escape to do any serious damage. That's why they often combine a browser exploit with OS exploit to get to high or even system IL, and my guess is that this will also automatically bypass UAC.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    No, you're misunderstanding. SRP and tools like HMPA, MBAE and OSArmor don't block JavaScript, they will simply block process execution that is triggered by the exploit code. For example the NoScript extension might be used to block JS, but this will also break 90% of all websites. That's why I believe that NS and UAC are great examples of ''dumb security'', to me it's basically about the cure being worse than the disease. Yes, they can be used to block exploits and malware, but at what price?

    They did this because otherwise the exploit wouldn't be able to run calc.exe, in other words they needed a second ''browser sandbox escape'' exploit to run calc.exe, so this is a great example of why browser sandboxes are so useful.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    When I look at the video from that second link, there are two files dropped on the user's Desktop: exploit.html and exploit.js, the second file of course being a javascript file. Yes I understand they are being loaded into Chrome browser as part of the exploit process, and perhaps i'm misunderstanding the way it works, but I do know that both SRP and OSArmor will block a javascript file, as can be seen in the attachments posted below. The first attachment is the test file code, the second, the log generated when OSArmor blocks it, and the third is SRP blocking it. Again, I could be misunderstanding how it works.

    javascript test.png
    javascript test 02.png
    javascript test 03.png
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    You need to disable it in Group policy, I don't know if that is available on all Windows versions or if you need Professional. From your link if you set the 3rd policy (User Account Control: Run all administrators in Admin Approval Mode) to disabled, UAC is disabled. Not sure why they show 4 different policies there, it seems to me if you disable the 3rd, the other 3 are no longer relevant.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Ah yes because it is opened locally now, then it will be blocked by SRP and OSArmor. In a 'normal' attack scenario the html and javascript would be part of a website loaded by the browser, then it won't be blocked by SRP and OSArmor afaik. The video probably just shows it like this because it's easier than setting up a website just for making the video.
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Apparently not available in Home version, but there is a fix for that:
    https://www.techspot.com/guides/1719-group-policy-editor-windows-home/
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    Agreed!

    Yes, this makes sense, although I would think a good script blocker such as uBlockO set to Medium or Hard mode should block it.

    Okay, that makes sense as well. Thanks!

    EDIT

    actually I just learned there is a difference between jscript and javascript, the latter of which would be run by the web browser, and the former by Windows Script Host (wscript.exe)
     
    Last edited: Nov 27, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.