Vista Security
-
Upload
apple-johnnyseed -
Category
Documents
-
view
217 -
download
0
Transcript of Vista Security
-
8/14/2019 Vista Security
1/48
Windows Vista Security
-
8/14/2019 Vista Security
2/48
User Mode Security
User Account Protection (UAP) Mandatory Integrity Control(MIC) UI Privlilege Isolation (UIPI) Restricted Process
Unrestricted Process (Elevation) Standard methods The Legacy Shell Trick Consent Prompts and Admin Brokers
Service Isolation File and Registry Virtualization
Registry Virtualization File Virtualization Low Rights IE Virtualization
Possible Attacks
-
8/14/2019 Vista Security
3/48
User Account Protection (UAP)
Limited User Accounts Standard user accounts preferred
Problem: software isnt always written forStandard user accounts
Administrators start as Protected Runs programs with minimal privileges
Must authenticate protected actions Can run programs unrestricted
Unprotected
-
8/14/2019 Vista Security
4/48
Mandatory Integrity Control(MIC)
Every securable object has an Integrity
Children inherit integrity parents
Interactions exist at equal or lesserintegrity Higher integrity can act on lower through certain
functions
Any interaction allowed through IPC (BAD)
Lower Integrity server can impersonate higherintegrity. (ImpersonateNamedPipeClient)
-
8/14/2019 Vista Security
5/48
Mandatory Integrity Control Levels
Untrusted (can only write tolow integrity locations, such asthe Temporary InternetFiles\Low folder or theHKEY_CURRENT_USER\Software\LowRegistry key)
Low
User (can create and modifyfiles in the user's Documentsfolder and write to user-specificareas of the registry, such asHKEY_CURRENT_USER)
Medium
Administrative (can install filesto the Program Files folder and
write to sensitive registry areaslike HKEY_LOCAL_MACHINE)
High
System Privileges
IntegrityAccessLevel
-
8/14/2019 Vista Security
6/48
UI Privilege Isolation (UIPI)
Added to prevent Shatter attacks LI process cant send messages to a HI
Process SendMessage
PostMessage
LI process cant hook into a HI process
SetWindowsHookEx SetWinEventHook
-
8/14/2019 Vista Security
7/48
Restricted Process
How is it restricted Security token normally has all privileges
Some are disabled (Ignored during permissionchecks)
Process can re-enable them Security token created with less privileges
(CreateRestrictedToken) Some privileges removed
Some privileges marked deny only Group used for deny only
Explicit denials for group propagate Explicit allows do not
-
8/14/2019 Vista Security
8/48
Unrestricted Process (Elevation)
Process are run elevated when Process is a .msi or .exe and a registered
installer Process exists in app compatibility database
Proper registry with entry value RUNASADMIN .sbd created by
CompatAdmin.exe
Aplication Manifest (.exe.manifest)contains requestedExecutionLevel of
requireAdministrator User right clicks executable and clicks Run
Elevated from explorer Executed by an already privileged process
-
8/14/2019 Vista Security
9/48
The Legacy Shell Trick
Kill explorer from taskmanager.exe andrestart it with file->new task New shell running with highest integrity
Why does this work? WinLogon.exe handles Secure Attention
Sequence (ctrl+alt+delete and ctrl+shift+esc) taskmanager started this way is created with
high integrity File->new task creates a process with
CreateProcess instead ofCreateRestrictedProcess
Fixed in later builds of Vista
-
8/14/2019 Vista Security
10/48
Consent Prompts and Admin Brokers
Windows Explorer cant launch unrestrictedapps on its own Restricted Token Medium Integrity
AppInfo Admin Broker service (runs asLocalSystem)
RunAsAdminProcess consent.exe run by AppInfo
Creates process ImpersonateLoggedOnUser CreateProcessAsUser (not CreateProcess)
-
8/14/2019 Vista Security
11/48
Security Token
User InAdministrators
GroupLocal
SecurityAuthority
StandardUser
Token
Full AccessConsent
Administrator
Credentials
User In
Users Group
Login
Login StandardUser
Token
FullAdministrator
Token
-
8/14/2019 Vista Security
12/48
Service Isolation
Services use to exist in the same session
Vista Services run in Isolated Session 0 Services cant open dialogs on desktop
Neither can services marked interactive
Dialogs from interactive services areactually a Terminal Service Context
Consent Prompts? AppInfo runs consent in the users desktopsession with CreateProcessAsUser
-
8/14/2019 Vista Security
13/48
File and Registry Virtualization
Why? Developers dont code applications
properly
Assume the need for admin privileges
Need to provide backwards compatibility
Need to provide separation and safety
-
8/14/2019 Vista Security
14/48
Registry Virtualization
Implemented by kernel
Write attempts toHKEY_LOCAL_MACHINE\Software redirected to
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software
Provides per-user settings in apps that usedregistry for storage.
Provides isolation between users.
-
8/14/2019 Vista Security
15/48
File Virtualization
Implemented as a FS filter driver (luafv.sys) Example: Program files
Foo writes to c:\Program Files\foo\foo.ini Foo is running as unprivileged and fails Filter driver maps c:\Program Files\foo\foo.ini to per-
user virtualized area. %UserProfile%\AppData\Local\VirtualStore\C\Progra
~1\foo contains user-specific copy of foo.ini Certain executable types not virtualized (cmd, bat,
exe, dll, etc..) Provides isolation Provides per-user settings (in certain cases)
-
8/14/2019 Vista Security
16/48
Low Rights IE Virtualization
Virtualization not done by FilterDriver, done by AppCompat shim dll
Why? Low integrity process cant even write to
the virtualized areas
Uses special broker applications for tasks
-
8/14/2019 Vista Security
17/48
Low Rights IE Virtualization Components
User runs IEUser.exe (Med integrity)
IEUser.exe spawns IExplorer.exe
(Low Integrity) Any admin level requests handled by
IEInstall.exe
-
8/14/2019 Vista Security
18/48
Ex-Possible Attacks
Low Integrity IE Approach
Medium Integrity
Method 1 Slight of Hand/Bait andswitch
Method 2 Slight of Hand/Bait andswitch
-
8/14/2019 Vista Security
19/48
Low integrity IE Approach
Unknown IE Exploit allows injection ofarbitrary code
Code is run at low integrity Low integrity code can loopback on
localhost (gains default med integrity) Code can now insert files into the
filesystem eg. Virtualized start menustartup folder No longer valid as of Beta 2
-
8/14/2019 Vista Security
20/48
Medium Integrity - Method 1
User expects consent prompt User is slow
User clicks through
Malicious app checks for all instancesof consent.exe
If called on behalf of spoof targetcopy our bad version over the goodone
-
8/14/2019 Vista Security
21/48
Medium Integrity - Method 2
Global COM Objects HKEY_LOCAL_MACHINE\Software\Classes\CLSID
User Specific COM Objects
HKEY_CURRENT_USER\Software\Classes\CLSID
User objects have prescient over system Enumerate system COM objects
Create paths to malicious versions in
current_user No longer valid, only local_machine keys
are referred to for elevation
-
8/14/2019 Vista Security
22/48
Kernel Mode Security
Booting Vista
Driver Signing
Patch Guard Secure Bootup
Restricted user-mode access to
\Device\PhysicalMemory
-
8/14/2019 Vista Security
23/48
Booting Vista (Stage 1)
Locates and runs bootmgr for legacy PC/AT Bios andbootmgr.efi for an efi system
The Vista Boot Manager calls InitializeLibrary,which in turn calls BlpArchInitialize (GDT, IDT,
etc.), BlpTpmInitialize (TPM), BlpIoInitialize(file systems), BlBdInitialize (debugging),BlDisplayInitialize,
Boot.init replaced with BCD file Selects boot description and runs
BlImageLoadBootApplication Calls BlFveSecureBootUnlockBootDevice and
BlFveSecureBootCheckpointBootApp if Full VolumeEncryption is enabled.
-
8/14/2019 Vista Security
24/48
Booting Vista (Stage 2)
WINLOAD.EXE replaces NTLDR.EXE asthe os loader
Performs many of the same tasks asbootmgr
Discovers disks and loads the hive
Loads OS Signed catalog
-
8/14/2019 Vista Security
25/48
Booting Vista (Stage 2) cont.
Verifies its own integrity and that of othersystem files Does not boot if they dont match Will however boot if a debugger is attached
except on certain key files Loads appropriate driver for debugging
Usb Firewire Serial
Loads remaining drivers in order from thehive
-
8/14/2019 Vista Security
26/48
Booting Vista (Stage 3)
Loads NTOSKRNL.EXE Responsible for code verification of
system drivers
Runtime checks (PatchGuard andCI.DLL)
-
8/14/2019 Vista Security
27/48
Driver Signing
Windows Vista 64-bit edition only
All Kernel mode drivers must have a
class 3 cert Justification:
Stability less hackish code in kernel
Security Prevents root kits
Ulterior Motives: DRM protection
-
8/14/2019 Vista Security
28/48
Driver Signing (Implementation)
WINLOAD.EXE - Boot driver checks
NTOSKRNL.EXE All other driver
(uses CI.DLL) Functions
MinCrypL_CheckSignedFile
MinCrypL_CheckImageHash
MinCryptK_FindPageHashesInCatalog
-
8/14/2019 Vista Security
29/48
Driver Signing (Implementation)
MinCrypL_CheckSignedFile Used by WINLOAD.EXE and CI.DLL Parses certificate to check validity
Checks certificate against a root certificate Hard coded list of 8 certificates in binary Adding certificates to system certificates
doesnt add to this list.
If certificate is signed by a root authority
validate it Parse public key info/RSA Public Key Convert the key to a Safe public key Verify signing according to PKCS1
-
8/14/2019 Vista Security
30/48
Driver Signing (Implementation)
MinCrypL_CheckImageHash Used by WINLOAD.exe Verifies driver matches images in the signed
catalog
Walks linked list of catalogs pointed to byg_CatalogList callingI_CheckImageHashInCatalog on each
MinCryptK_FindPageHashesInCatalog Used by CI.DLL Checks code pages of process or driver at
runtime. Binary searches for matching page hash in
ntpe.cat nt5.cat
-
8/14/2019 Vista Security
31/48
Patch Guard
Can not be disabled Polls at 5-10 minute intervals to
verify kernel structures are intact SSDT (System Service Descriptor Table) GDT (Global Descriptor Table) IDT (Interrupt Descriptor Table)
System images (ntoskrnl.exe, ndis.sys,hal.dll) Processor MSRs (syscall)
-
8/14/2019 Vista Security
32/48
Patch Guard (Implementation)
Uses Obfuscation and Misdirectionraise the bar
Example: Initialization
nt!KiDivide6432 (What does it do?) Throws divide processor exception
Patch Guard Initialization called inexception handler
-
8/14/2019 Vista Security
33/48
Patch Guard (Implementation)
Initialization Creates random key
Creates random rotate number
Picks a fake memory pool tag Initializes memory
Zeroes it
Fills it with structures Encrypts structures in memory
-
8/14/2019 Vista Security
34/48
Patch Guard (Attacks)
Exception Handler Hooking Verificationrelies on exceptions, hook the exceptionand turn it into a nop
KeBugCheckEX Hook When called check if
bug check code is 0x109 if so reset stackpointer and instruction pointer to thethread and carry on
Finding the timer Find the timer eventand remove it. Not reliable and not portablesince it uses an unexported address
Simulating Hotpatching Use the Hotpatchapi to trick windows
-
8/14/2019 Vista Security
35/48
Secure Bootup
TPM Holds key used for full drive encryption
Takes measurments of boot items such asROM images and firmware images
Special boot code in TPM decrypts the bootloader
Boot loader asks for full drive encryptionkey from TPM
Boots the same as detailed in Booting Vista
-
8/14/2019 Vista Security
36/48
Disabled user-mode access to\Device\PhysicalMemory
Started with Windows Server 2003SP1
Crazylord (p59-0x10) showed amethod for detecting bios root kitsusing \Device\PhysicalMemory
-
8/14/2019 Vista Security
37/48
The End
-
8/14/2019 Vista Security
38/48
Frame-Based Exception Handlers
Every thread in a Win32 Process has atleast one frame-based exception handler.
A list of EXCEPTION_REGISTRATION
structures can be found in the processsThread Environment Block at FS: [0]
Overwrite the exception handler with anaddress which will
pop regpop regret
-
8/14/2019 Vista Security
39/48
Determining a valid handler
Handler can not exist on the stack(determined by TEB FS:[4] FS[8])
Checked against loaded modules
If the address exists outside of the bounds ofthese addresses it is ok to call? If the address exists inside these it is checked
against registered handlers. Checks a value in the PE header if it is set to
0x04 then the module is not allowed. Finally checks for a Load Configuration Directory
if missing function returns 0 and no other checksare done and handler is executed
-
8/14/2019 Vista Security
40/48
Exploiting Frame-Based ExceptionHandling (Window 2003 Server)
Methods Exploit an existing handler that we can
manipulate to get us back into our buffer
Find a block of code in an address notassociated with a module that will get usback to our buffer
Find a block of code in the address spaceof a module that does not have a LoadConfiguration Directory
-
8/14/2019 Vista Security
41/48
Exploiting an Existing Handler
NTDLL contains several registeredexception handlers
Only works the first time since
sensitive data is in predictable places
77F45A3F mov ebx,dword ptr [ebp+0Ch]
..
77F45A61 mov esi, dword ptr [ebx+0Ch]
77F45A64 mov edi, dword ptr [ebx+8]
..77F45A75 lea ecx, [esi+esi*2]
77F45A78 mov eax, dword ptr [edi+ecx*4+4]
..
77F45A64 call eax
-
8/14/2019 Vista Security
42/48
Finding and exploiting a block ofcode not associated with a module
Windows 2003 Server Enterpriseedition contains such an address at0x7FFC0AC5. (pop pop ret)
Not usable since Standard additiondoes not have the same issue
However we can use the address ofour EXCEPTION_REGISTRATIONstruct in the form of a call or jumpesp+somevalue
-
8/14/2019 Vista Security
43/48
Stack Protection and Windows 2003Server
Security Cookies Authoritative copy stored in the .data
segment
/GS Compiler Flag Reorders parameters
Places overflowable buffers close to
canary values
-
8/14/2019 Vista Security
44/48
Heap Based Buffer Overflows
Handle to Win32 Heap throughGetProcessHeap() and through the PEB
HeapAllocate Win32 version of brk and
brk. Every heap starts with a struct andcontains pointers to the previous and nextblocks (similar to malloc).
Use Exception Handlers to overwritefunctions such as RtlAccquitePebLock() andRtlReleasePebLock() (Not Usable inWin2k3Server)
-
8/14/2019 Vista Security
45/48
Heap Overflow Fun
The PEB in a process is fixed across allWinNT Versions.
Step1: Overflow heap to overwrite the PEB
+ 4 (Return address). Step2: Allow Program to segfault andterminate.
Step3: Sit back and watch ExitProcess runyour code for you. Make sure to set the pointer back or something
else could kill your process if its used elsewherein the code
-
8/14/2019 Vista Security
46/48
Vectored Handlers
Similar in structure to Frame basedexception handlers.
Stored on the heap instead of stack
Executed before frame basedhandlers.
-
8/14/2019 Vista Security
47/48
-
8/14/2019 Vista Security
48/48
Other Aspects of Heap-BasedOverflows
COM Objects and the Heap COM Objects when instantiated are placed on the
heap A vtable is created to store function pointers for an
object and the object is stored above it in the
address space If you overflow an object you can possibly overwrite
the vtable of the object above you and redirect codeexecution.
Overflowing Program Control Data We dont always want to execute arbitrary code Some times we just want to change data on the heap
that controls the execution flow. Ex. Making a directory exposed by a web server
writable so anyone can write to it.