[PPT] - Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo PowerPoint Presentation

SLIDE 1

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015

1

SLIDE 2

James Forshaw @tiraniddo

Obligatory Background Slide

2

Researcher in Google’s Project Zero team
Specialize in Windows

○ Especially local privilege escalation

Never met a logical vulnerability I didn’t like

SLIDE 3

James Forshaw @tiraniddo

What I’m Going to Talk About

Some research on Windows 10 from the early preview builds
Why Windows 10 is awesome for security
Except for when it isn’t!
Very much looking at things from a local privilege escalation

perspective

3

SLIDE 4

James Forshaw @tiraniddo

Windows 10

4

SLIDE 5

James Forshaw @tiraniddo

Windows Local Attack Surface

5

SLIDE 6

James Forshaw @tiraniddo

Local System Vulnerabilities are Dead!

6

SLIDE 7

James Forshaw @tiraniddo

System Services and Drivers

7

Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291

7 8 10

SLIDE 8

James Forshaw @tiraniddo

Service Privilege Levels

8

Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36%

7 8 10

SLIDE 9

James Forshaw @tiraniddo

SVCHOST Running as User?

9

Malware? Nope!

SLIDE 10

James Forshaw @tiraniddo

Service Start Mode

10

Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28%

7 8 10

SLIDE 11

James Forshaw @tiraniddo

Accessible Device Objects

11

7 8 10

Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5

SLIDE 12

James Forshaw @tiraniddo

Isolated User Mode

12

SLIDE 13

James Forshaw @tiraniddo

Isolated LSASS

13

Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130

SLIDE 14

James Forshaw @tiraniddo

But Sadly

Not available in consumer builds only Enterprise
Can’t use your own code to isolate anything
Very restrictive use

14

SLIDE 15

James Forshaw @tiraniddo

Edge Browser

15

SLIDE 16

James Forshaw @tiraniddo

Microsoft Edge Security

16

ActiveX is gone(ish) AppContainer Sandbox Always On

SLIDE 17

James Forshaw @tiraniddo

Microsoft Edge and Flash

17

Nope!

SLIDE 18

James Forshaw @tiraniddo

Has No One Learnt from the Past?

18

SLIDE 19

James Forshaw @tiraniddo

Guess Trident Wasn’t a Suitable Base?

19

SLIDE 20

James Forshaw @tiraniddo

User Account Control

20

SLIDE 21

James Forshaw @tiraniddo

They’ve Fixed Some Bugs I’ve Reported

21 https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220

SLIDE 22

James Forshaw @tiraniddo

UAC Auto Elevation Directory Check

22

c:\windows\ c:\windows\tracing\ app.exe app.exe

ALLOWED BANNED

SLIDE 23

James Forshaw @tiraniddo

Folder Permissions

23

c:\windows\ c:\windows\tracing\ app.exe app.exe

ALLOWED BANNED

SLIDE 24

James Forshaw @tiraniddo

AiCheckSecureApplicationDirectory Bypass

24

Need to be able to write a file with a secure path
How can we write to C:\Windows without writing to C:\Windows?

c:\windows\ malicious.exe

ALLOWED

c:\windows\ ????

ALLOWED?

SLIDE 25

James Forshaw @tiraniddo

NTFS Alternate Data Streams FTW!

25

c:\windows\ tracing:malicious.exe

ALLOWED

Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on

directory to created named stream.

SLIDE 26

James Forshaw @tiraniddo

Didn’t Fix All my UAC Bypasses Though

26

https://code.google.com/p/google-security-research/issues/detail?id=219

SLIDE 27

James Forshaw @tiraniddo

DEMO

Elevated Token Capture

27

SLIDE 28

James Forshaw @tiraniddo 28

Well MS Almost Did

If Token Level < Impersonate If Process has Impersonate Privilege ALLOWED Restrict to Identification Level If Process IL < Token IL If Process User == Token User Elevation Check

SLIDE 29

James Forshaw @tiraniddo

Elevated Token Impersonation

Blocks impersonating an elevated token unless process token is

also elevated

Must be enabled in SeCompatFlags kernel flag

29

if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } }

SLIDE 30

James Forshaw @tiraniddo

In The End Still the “Wrong” Default IMO!

30

SLIDE 31

James Forshaw @tiraniddo

If You Change Task Manager Needs a Prompt

31

SLIDE 32

James Forshaw @tiraniddo

Windows Symbolic Links

32

Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links

SLIDE 33

James Forshaw @tiraniddo

Mitigated in Sandboxes

33

NTFS Mount Points Registry Key Symbolic Links Object Manager Symbolic Links

BANNED LIMITED LIMITED

SLIDE 34

James Forshaw @tiraniddo

Mitigations Backported

34

SLIDE 35

James Forshaw @tiraniddo

Mount Point Mitigation Bypass

NTSTATUS IopXxxControlFile(...) { if (CtlCode == FSCTL_SET_REPARSE_POINT) { PREPARSE_DATA_BUFFER buffer = ... if (NumberOfBytes >= 4 && buffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken(&SubjectSecurityContext, AccessMode) { status = FsRtlValidateReparsePointBuffer(NumberOfBytes, buffer); if (!NT_SUCCESS(status)) { return status } name.Length = name.MaximumLength = buffer->SubstituteNameLength; name.Buffer = &buffer->PathBuffer[0]; InitializeObjectAttributes(&obja, &name, OBJ_FORCE_ACCESS_CHECK|OBJ_KERNEL_HANDLE); status = ZwOpenFile(&FileHandle, FILE_GENERIC_WRITE, &obja, ..., FILE_DIRECTORY_FILE); if (!NT_SUCCESS(status)) { return status; } ZwClose(FileHandle); } } }

35

SLIDE 36

James Forshaw @tiraniddo

Mount Point Mitigation Bypass

NTSTATUS IopXxxControlFile(...) { if (CtlCode == FSCTL_SET_REPARSE_POINT) { PREPARSE_DATA_BUFFER buffer = ... if (NumberOfBytes >= 4 && buffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken(&SubjectSecurityContext, AccessMode) { status = FsRtlValidateReparsePointBuffer(NumberOfBytes, buffer); if (!NT_SUCCESS(status)) { return status } name.Length = name.MaximumLength = buffer->SubstituteNameLength; name.Buffer = &buffer->PathBuffer[0]; InitializeObjectAttributes(&obja, &name, OBJ_FORCE_ACCESS_CHECK|OBJ_KERNEL_HANDLE); status = ZwOpenFile(&FileHandle, FILE_GENERIC_WRITE, &obja, ..., FILE_DIRECTORY_FILE); if (!NT_SUCCESS(status)) { return status; } ZwClose(FileHandle); } } }

36

SLIDE 37

James Forshaw @tiraniddo

Mount Point Mitigation Bypass

NTSTATUS IopXxxControlFile(...) { if (CtlCode == FSCTL_SET_REPARSE_POINT) { PREPARSE_DATA_BUFFER buffer = ... if (NumberOfBytes >= 4 && buffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT && RtlIsSandboxedToken(&SubjectSecurityContext, AccessMode) { status = FsRtlValidateReparsePointBuffer(NumberOfBytes, buffer); if (!NT_SUCCESS(status)) { return status } name.Length = name.MaximumLength = buffer->SubstituteNameLength; name.Buffer = &buffer->PathBuffer[0]; InitializeObjectAttributes(&obja, &name, OBJ_FORCE_ACCESS_CHECK|OBJ_KERNEL_HANDLE); status = ZwOpenFile(&FileHandle, FILE_GENERIC_WRITE, &obja, ..., FILE_DIRECTORY_FILE); if (!NT_SUCCESS(status)) { return status; } ZwClose(FileHandle); } } }

37

SLIDE 38

James Forshaw @tiraniddo

Time of check-Time of use

38

Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz

Not Equal

SLIDE 39

James Forshaw @tiraniddo

DosDevices History

39

NT 4.0 NT 3.1

DosDevices ?? DosDevices

Windows 2000

?? DosDevices Per-Process

Windows XP Onwards

Per-User DosDevices Per-Process GLOBAL?? Virtual ??

SLIDE 40

James Forshaw @tiraniddo

DosDevices History

40

NT 4.0 NT 3.1

DosDevices ?? DosDevices

Windows 2000

?? DosDevices Per-Process

Windows XP Onwards

Per-User DosDevices Per-Process GLOBAL?? Virtual ??

Use This!

SLIDE 41

James Forshaw @tiraniddo

Abusing Per-Process Device Map

41

Low Privileged Process High Privileged Process \??\c:\somepath\xyz \??\c:\somepath\xyz

Not Equal

\Device\NamedPipe\ \??\c:\somepath\xyz

https://code.google.com/p/google-security-research/issues/detail?id=486

SLIDE 42

James Forshaw @tiraniddo

Sandbox Winter is Coming!

42

New in October Kernel Release

SLIDE 43

James Forshaw @tiraniddo

DEMO

NTFS Mount Point Mitigation Bypass

43

SLIDE 44

James Forshaw @tiraniddo

Win32k Hardening

44

SLIDE 45

James Forshaw @tiraniddo

Fonts Are Bad

45

SLIDE 46

James Forshaw @tiraniddo

Making it Less Bad

User Mode Font Driver

46

Disable Custom Font Policy (undocumented)

PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy.DisableNonSystemFonts = 1; policy.AuditNonSystemFontLoading = 1; SetProcessMitigationPolicy( ProcessFontDisablePolicy, &policy, sizeof(policy));

SLIDE 47

James Forshaw @tiraniddo

User Mode Font Driver

Only SYSTEM can open process? Running as user in AppContainer

47

SLIDE 48

James Forshaw @tiraniddo

Process Token Default DACL

After September Patch

48

Before September Patch

SLIDE 49

James Forshaw @tiraniddo

Thread DACLs Allow User Access

49

SLIDE 50

James Forshaw @tiraniddo

Extra, UMFD Only Win32k Escape Calls

50

NtGdiEscape Command UMFD Escape Call 13 UmfdEscEngGetFileChangeTime 14 UmfdEscEngGetFilePath 15 UmfdEscEngComputeGlyphSet 16 UmfdEscEngCreateFile 17 UmfdEscParseFontResources 18 atmfdFontManagement (enable kernel ATMFD driver) And Others ...

SLIDE 51

James Forshaw @tiraniddo

UmfdEscEngCreateFile in Win32kFull.sys

// Name is only \SystemRoot\System32\FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; }

51

// Name is \SystemRoot\System32\QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; }

Before September Patch After September Patch

SLIDE 52

James Forshaw @tiraniddo

UmfdEscEngCreateFile in Win32kFull.sys

// Name is only \SystemRoot\System32\FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; }

52

// Name is \SystemRoot\System32\QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; }

Before September Patch After September Patch

Attacker Controlled No Security Check All Gone

SLIDE 53

James Forshaw @tiraniddo

Process Silos

New process container mechanism
Possibly related to docker support
Works in a similar fashion to process jobs

53

NTSTATUS NtCreateSiloObject( PHANDLE handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);

SLIDE 54

James Forshaw @tiraniddo

Opening Device Object

54

\Device\Harddisk1\SomeName \Device\Harddisk1 \SomeName

Device Path Native NT Path Device Namespace Path Harddisk Driver

Create File Handler

Driver Responsible for Security

SLIDE 55

James Forshaw @tiraniddo

Replace the Root Object Directory

55

// Create anonymous directory object InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); NtCreateDirectoryObject(&hDir, &ObjectAttributes, ...); NtSetInformationSiloObject(hSilo, SiloObjectRootDirectory, &hDir, sizeof(hDir)); NtAssignProcessToSiloObject(hSilo, GetCurrentProcess()); // Process root directory now empty

Exploit: https://code.google.com/p/google-security-research/issues/detail?id=459

SLIDE 56

James Forshaw @tiraniddo

Fixed in RTM

Silo functionality rolled into Job objects
Changed object directory now behind a TCB check
Shame for Chrome, would have been a useful feature

56

SLIDE 57

James Forshaw @tiraniddo

Public Service Announcement

Doing too much security research on Beta software can make you sad

57

SLIDE 58

James Forshaw @tiraniddo

(Dis)Honourable Mentions Control Flow Guard (CFG) Privacy Options Cumulative Updates Microsoft Cross-Signed Drivers

58

SLIDE 59

James Forshaw @tiraniddo

Conclusions

59

2 steps forward, 1 step back. Still plenty of things to attack!

SLIDE 60

James Forshaw @tiraniddo

DEMO

Local System Elevation

60

SLIDE 61

James Forshaw @tiraniddo

Good Old Issue 222

61

https://code.google.com/p/google-security-research/issues/detail?id=222

SLIDE 62

James Forshaw @tiraniddo

Questions?

62