windows 10 2 steps forward 1 step back james forshaw
play

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo - PowerPoint PPT Presentation

May 09, 2023 •159 likes •792 views

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1 Obligatory Background Slide Researcher in Googles Project Zero team Specialize in Windows Especially local privilege escalation Never met

  1. Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1

  2. Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like 2 James Forshaw @tiraniddo

  3. What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3 James Forshaw @tiraniddo

  4. Windows 10 4 James Forshaw @tiraniddo

  5. Windows Local Attack Surface 5 James Forshaw @tiraniddo

  6. Local System Vulnerabilities are Dead! 6 James Forshaw @tiraniddo

  7. System Services and Drivers Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10 7 James Forshaw @tiraniddo

  8. Service Privilege Levels Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10 8 James Forshaw @tiraniddo

  9. SVCHOST Running as User? Malware? Nope! 9 James Forshaw @tiraniddo

  10. Service Start Mode Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10 10 James Forshaw @tiraniddo

  11. Accessible Device Objects Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5 7 8 10 11 James Forshaw @tiraniddo

  12. Isolated User Mode 12 James Forshaw @tiraniddo

  13. Isolated LSASS Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130 13 James Forshaw @tiraniddo

  14. But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14 James Forshaw @tiraniddo

  15. Edge Browser 15 James Forshaw @tiraniddo

  16. Microsoft Edge Security ActiveX is gone(ish) AppContainer Sandbox Always On 16 James Forshaw @tiraniddo

  17. Microsoft Edge and Flash Nope! 17 James Forshaw @tiraniddo

  18. Has No One Learnt from the Past? 18 James Forshaw @tiraniddo

  19. Guess Trident Wasn’t a Suitable Base? 19 James Forshaw @tiraniddo

  20. User Account Control 20 James Forshaw @tiraniddo

  21. They’ve Fixed Some Bugs I’ve Reported https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220 21 James Forshaw @tiraniddo

  22. UAC Auto Elevation Directory Check c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 22 James Forshaw @tiraniddo

  23. Folder Permissions c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 23 James Forshaw @tiraniddo

  24. AiCheckSecureApplicationDirectory Bypass ● Need to be able to write a file with a secure path ● How can we write to C:\Windows without writing to C:\Windows? c:\windows\ malicious.exe c:\windows\ ???? ALLOWED ALLOWED? 24 James Forshaw @tiraniddo

  25. NTFS Alternate Data Streams FTW! c:\windows\ tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream. 25 James Forshaw @tiraniddo

  26. Didn’t Fix All my UAC Bypasses Though https://code.google.com/p/google-security-research/issues/detail?id=219 26 James Forshaw @tiraniddo

  27. DEMO Elevated Token Capture 27 James Forshaw @tiraniddo

  28. Well MS Almost Did If Process has If Token Level If Process IL < If Process User Impersonate < Impersonate Token IL == Token User Privilege Elevation Check Restrict to ALLOWED Identification Level 28 James Forshaw @tiraniddo

  29. Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } } 29 James Forshaw @tiraniddo

  30. In The End Still the “Wrong” Default IMO! 30 James Forshaw @tiraniddo

  31. If You Change Task Manager Needs a Prompt 31 James Forshaw @tiraniddo

  32. Windows Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 32 James Forshaw @tiraniddo

  33. Mitigated in Sandboxes LIMITED NTFS Mount Points BANNED Registry Key Symbolic Links LIMITED Object Manager Symbolic Links 33 James Forshaw @tiraniddo

  34. Mitigations Backported 34 James Forshaw @tiraniddo

  35. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 35 James Forshaw @tiraniddo

  36. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 36 James Forshaw @tiraniddo

  37. Mount Point Mitigation Bypass NTSTATUS IopXxxControlFile (...) { if ( CtlCode == FSCTL_SET_REPARSE_POINT ) { PREPARSE_DATA_BUFFER buffer = ... if ( NumberOfBytes >= 4 && buffer -> ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken (& SubjectSecurityContext , AccessMode ) { status = FsRtlValidateReparsePointBuffer ( NumberOfBytes , buffer ); if (! NT_SUCCESS ( status )) { return status } name . Length = name . MaximumLength = buffer -> SubstituteNameLength ; name . Buffer = & buffer -> PathBuffer [ 0 ]; InitializeObjectAttributes (& obja , & name , OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE ); status = ZwOpenFile (& FileHandle , FILE_GENERIC_WRITE , & obja , ..., FILE_DIRECTORY_FILE ); if (! NT_SUCCESS ( status )) { return status ; } ZwClose ( FileHandle ); } } } 37 James Forshaw @tiraniddo

  38. Time of check-Time of use Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz Not Equal 38 James Forshaw @tiraniddo

  39. DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards DosDevices DosDevices DosDevices DosDevices ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 39 James Forshaw @tiraniddo

  40. DosDevices History NT 3.1 NT 4.0 Windows 2000 Windows XP Onwards Use DosDevices DosDevices DosDevices DosDevices This! ?? ?? Per-Process Per-User Per-Process Virtual ?? GLOBAL?? 40 James Forshaw @tiraniddo

  41. Abusing Per-Process Device Map Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz \Device\NamedPipe\ \??\c:\somepath\xyz Not Equal https://code.google.com/p/google-security-research/issues/detail?id=486 41 James Forshaw @tiraniddo

  42. Sandbox Winter is Coming! New in October Kernel Release 42 James Forshaw @tiraniddo

  43. DEMO NTFS Mount Point Mitigation Bypass 43 James Forshaw @tiraniddo

  44. Win32k Hardening 44 James Forshaw @tiraniddo

  45. Fonts Are Bad 45 James Forshaw @tiraniddo

  46. Making it Less Bad Disable Custom Font Policy User Mode Font Driver (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy . DisableNonSystemFonts = 1 ; policy . AuditNonSystemFontLoading = 1 ; SetProcessMitigationPolicy ( ProcessFontDisablePolicy , & policy , sizeof( policy )); 46 James Forshaw @tiraniddo

  47. User Mode Font Driver Running as user in AppContainer Only SYSTEM can open process? 47 James Forshaw @tiraniddo

  48. Process Token Default DACL Before September Patch After September Patch 48 James Forshaw @tiraniddo

  49. Thread DACLs Allow User Access 49 James Forshaw @tiraniddo

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Our Dance Two Steps Forward, One Step Back Richland Elementary R-IV Dr. Tina Turner principal

Our Dance Two Steps Forward, One Step Back Richland Elementary R-IV Dr. Tina Turner principal

Our Dance Two Steps Forward, One Step Back Richland Elementary R-IV Dr. Tina Turner principal Miss Ashley McGuire Kindergarten Teacher Outcomes: Attendees will identify key areas of Tier 1 and process of implementation. Attendees will

282 views • 12 slides
THE CLIFF EFFECT ONE STEP FORWARD, TWO STEPS BACK Removing Barriers to Economic Mobility Thank

THE CLIFF EFFECT ONE STEP FORWARD, TWO STEPS BACK Removing Barriers to Economic Mobility Thank

THE CLIFF EFFECT ONE STEP FORWARD, TWO STEPS BACK Removing Barriers to Economic Mobility Thank You! As Indianas oldest and largest community foundation, The Indianapolis Foundation (a CICF affiliate) was created in 1916 to ensure that the

604 views • 23 slides
the .NET Inter-Operability Operation James Forshaw - @tiraniddo Derbycon 7.0

the .NET Inter-Operability Operation James Forshaw - @tiraniddo Derbycon 7.0

the .NET Inter-Operability Operation James Forshaw - @tiraniddo Derbycon 7.0 https://openclipart.org/detail/272992/nang-luong-hat-nhan What Im Going to be Talking About .NET Interop Platform Invoke .NET COM COM .NET 2 Agenda

938 views • 77 slides
Step 1: Go to the Tools menu and select Options Back Next slide Step 2: Select Security tab

Step 1: Go to the Tools menu and select Options Back Next slide Step 2: Select Security tab

Viewing Captions in Windows Media Player Version 10 To view captions (see example below) follow these instructions to set up your Windows Media Player. Next slide Note, once you have completed this set-up, you must restart the video stream

304 views • 6 slides
Three Steps Forward Two Steps Back Innovation and implementation of e-assessment in high stakes

Three Steps Forward Two Steps Back Innovation and implementation of e-assessment in high stakes

Three Steps Forward Two Steps Back Innovation and implementation of e-assessment in high stakes mathematics tests for 14-19 year olds The Future Turn of the century high expectations of a technological revolution in high stakes assessment:

878 views • 44 slides
Prepare your presentation in 5 steps Step 1 - Install the software Note that the eSlides

Prepare your presentation in 5 steps Step 1 - Install the software Note that the eSlides

Prepare your presentation in 5 steps Step 1 - Install the software Note that the eSlides software is currently available for Windows only in both English and French (a version for Apple will be developed later this year). If your computer is

71 views • 6 slides
P R E S E N T A C I O N W W W . A N N A L I N M U Z Z A . C O M C H I A R A Step back into the

P R E S E N T A C I O N W W W . A N N A L I N M U Z Z A . C O M C H I A R A Step back into the

P R E S E N T A C I O N W W W . A N N A L I N M U Z Z A . C O M C H I A R A Step back into the groovy Studio 54 era in this head turning large pailette sequin iridescent mini dress. Model is wearing US size S 100% Polyester Hand Wash

985 views • 56 slides
Disability Claims Process Personal support through each step to get back to health, back to work

Disability Claims Process Personal support through each step to get back to health, back to work

Disability Claims Process Personal support through each step to get back to health, back to work and back to life. Start to Finish our Focus is on the employee Back to health, back to work and back to life with support at every step Our

220 views • 17 slides
Switching to Ubuntu from Windows Step 1 - Applications Step 1 - Applications Most Important step

Switching to Ubuntu from Windows Step 1 - Applications Step 1 - Applications Most Important step

Switching to Ubuntu from Windows Step 1 - Applications Step 1 - Applications Most Important step is to check if the applications you use are available on Ubuntu. And if not, are there any alternatives? Tip: Try Ubuntu CD live and see if you

360 views • 17 slides
Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate

Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate

Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate people on a computer - Multiple user accounts on a computer - Ex) shared family computer - Access level can be set differently for each user

1.2k views • 51 slides
SMWP 2011 Christine James Technology in a Writing Classroom My journey began back when I I

SMWP 2011 Christine James Technology in a Writing Classroom My journey began back when I I

SMWP 2011 Christine James Technology in a Writing Classroom My journey began back when I I learned how to prepare a six step next couple of years, we planned would play school with my sister and lesson plan, assess my students, lessons

170 views • 5 slides
CHAPTER 1 GETTING STARTED 5 STEPS TO CREATING YOUR FIRST INFOGRAPHIC IN 15 MINUTES STEP 1

CHAPTER 1 GETTING STARTED 5 STEPS TO CREATING YOUR FIRST INFOGRAPHIC IN 15 MINUTES STEP 1

CHAPTER 1 GETTING STARTED 5 STEPS TO CREATING YOUR FIRST INFOGRAPHIC IN 15 MINUTES STEP 1 PICK A TEMPLATE STEP 2 CLICK CREATE AND START ADDING YOUR TEXT! STEP 3 INSERT YOUR GRAPHICS Just click or drag-and-drop the graphics you need

505 views • 15 slides
College Credit Plus 2021-2022 Academic year CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year CCP Admission Steps Follow the following steps! Step 1 : Turn signed Letter of Intent into the high school Step 2: Apply www.mtc.edu/apply Step 3 : Test- or have test scores sent to

170 views • 6 slides
College Credit Plus 2021-2022 Academic year 1 CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year 1 CCP Admission Steps Follow the following steps!

College Credit Plus 2021-2022 Academic year 1 CCP Admission Steps Follow the following steps! Step 1 : Turn signed Letter of Intent into the high school Step 2: Apply www.mtc.edu/apply Step 3 : Test- or have test scores sent to

554 views • 6 slides
Unilever Barclays Back to School Conference - Boston James Allison Head of IR and M&amp;A

Unilever Barclays Back to School Conference - Boston James Allison Head of IR and M&amp;A

Unilever Barclays Back to School Conference - Boston James Allison Head of IR and M&amp;A September 7 th 2011 Safe Harbour Statement This announcement may contain forward- looking statements, including forward - looking statements within

1.05k views • 30 slides
Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu

Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu

Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu Microsoft, Windows Phone Engineering Hewlett-Packard Cloud Services Background APIs Performance and Health Data and Cloud RTM Networking:

578 views • 54 slides
Bringing the power of C++ to the web Krzysztof Paprocki Meeting C++ Berlin, 16.11.2019 How many

Bringing the power of C++ to the web Krzysztof Paprocki Meeting C++ Berlin, 16.11.2019 How many

Bringing the power of C++ to the web Krzysztof Paprocki Meeting C++ Berlin, 16.11.2019 How many websites were existing in 1991? 1 How many websites were existing in 1991? Today there are more than 1 B websites 400 M are active 4.33

842 views • 57 slides
Web Assembly Nick Bray ncbray@google Setting the stage Native code on the web - today Game

Web Assembly Nick Bray ncbray@google Setting the stage Native code on the web - today Game

Web Assembly Nick Bray ncbray@google Setting the stage Native code on the web - today Game engines: Unity / Unreal Languages: repl.it Emulators: Dosbox, JS Linux, NaCl Development Environment PDF Viewing Media decoding Web != native

462 views • 24 slides
Poet: Prototype Object Extension for Tcl poet.sourceforge.net Tcl'2007 New Orleans Poet Poet:

Poet: Prototype Object Extension for Tcl poet.sourceforge.net Tcl'2007 New Orleans Poet Poet:

Phil Mercurio Thyrd.org Poet: Prototype Object Extension for Tcl poet.sourceforge.net Tcl'2007 New Orleans Poet Poet: Prototype Object Extension for Tcl Dynamic, prototype-based inheritance One-way constraints Persistence Assimilation of

359 views • 20 slides
4 Tip Calculator App O bj e ct i v e s In this chapter youll: Design a GUI using a

4 Tip Calculator App O bj e ct i v e s In this chapter youll: Design a GUI using a

4 Tip Calculator App O bj e ct i v e s In this chapter youll: Design a GUI using a TableLayout . Use the ADT Plugins Outline window in Eclipse to add GUI components to a TableLayout . Directly edit the XML of a GUI layout to

191 views • 4 slides
Network activity in EGEE-III SA2 Xavier Jeannin (CNRS/UREC) SA2 Activity Manager 7th NRENs and

Network activity in EGEE-III SA2 Xavier Jeannin (CNRS/UREC) SA2 Activity Manager 7th NRENs and

Enabling Grids for E-sciencE Network activity in EGEE-III SA2 Xavier Jeannin (CNRS/UREC) SA2 Activity Manager 7th NRENs and Grids Workshop (Dublin) 1/2 September 2008 www.eu-egee.org EGEE and gLite are registered trademarks EGEE-III

959 views • 29 slides
Experience Discovery: Hybrid Recommendation of Student Activities using Social Network Data Robin

Experience Discovery: Hybrid Recommendation of Student Activities using Social Network Data Robin

Experience Discovery: Hybrid Recommendation of Student Activities using Social Network Data Robin Burke, Yong Zheng, Scott Riley Web Intelligence Laboratory College of Computing and Digital Media DePaul University Problem Service

572 views • 17 slides
Context and motivations Generalisation of heterogenous embedded systems hw +sw (typically :

Context and motivations Generalisation of heterogenous embedded systems hw +sw (typically :

CAPH : A high-level actor-based language for programming FPGAs J. Srot, F. Berry, S. Ahmed Institut Pascal, UMR 6602 Universit Blaise Pascal / CNRS Clermont-Ferrand, France WASC 2012 Apr 5-5

436 views • 18 slides
r tst rt

r tst rt

tts r rt ss r tst rt rst

543 views • 41 slides

More recommend