Vista Security

8/14/2019 Vista Security

1/48

Windows Vista Security


2/48

User Mode Security

User Account Protection (UAP) Mandatory Integrity Control(MIC) UI Privlilege Isolation (UIPI) Restricted Process

Unrestricted Process (Elevation) Standard methods The Legacy Shell Trick Consent Prompts and Admin Brokers

Service Isolation File and Registry Virtualization

Registry Virtualization File Virtualization Low Rights IE Virtualization

Possible Attacks


3/48

User Account Protection (UAP)

Limited User Accounts Standard user accounts preferred

Problem: software isnt always written forStandard user accounts

Administrators start as Protected Runs programs with minimal privileges

Must authenticate protected actions Can run programs unrestricted

Unprotected


4/48

Mandatory Integrity Control(MIC)

Every securable object has an Integrity

Children inherit integrity parents

Interactions exist at equal or lesserintegrity Higher integrity can act on lower through certain

functions

Any interaction allowed through IPC (BAD)

Lower Integrity server can impersonate higherintegrity. (ImpersonateNamedPipeClient)


5/48

Mandatory Integrity Control Levels

Untrusted (can only write tolow integrity locations, such asthe Temporary InternetFiles\Low folder or theHKEY_CURRENT_USER\Software\LowRegistry key)

Low

User (can create and modifyfiles in the user's Documentsfolder and write to user-specificareas of the registry, such asHKEY_CURRENT_USER)

Medium

Administrative (can install filesto the Program Files folder and

write to sensitive registry areaslike HKEY_LOCAL_MACHINE)

High

System Privileges

IntegrityAccessLevel


6/48

UI Privilege Isolation (UIPI)

Added to prevent Shatter attacks LI process cant send messages to a HI

Process SendMessage

PostMessage

LI process cant hook into a HI process

SetWindowsHookEx SetWinEventHook


7/48

Restricted Process

How is it restricted Security token normally has all privileges

Some are disabled (Ignored during permissionchecks)

Process can re-enable them Security token created with less privileges

(CreateRestrictedToken) Some privileges removed

Some privileges marked deny only Group used for deny only

Explicit denials for group propagate Explicit allows do not


8/48

Unrestricted Process (Elevation)

Process are run elevated when Process is a .msi or .exe and a registered

installer Process exists in app compatibility database

Proper registry with entry value RUNASADMIN .sbd created by

CompatAdmin.exe

Aplication Manifest (.exe.manifest)contains requestedExecutionLevel of

requireAdministrator User right clicks executable and clicks Run

Elevated from explorer Executed by an already privileged process


9/48

The Legacy Shell Trick

Kill explorer from taskmanager.exe andrestart it with file->new task New shell running with highest integrity

Why does this work? WinLogon.exe handles Secure Attention

Sequence (ctrl+alt+delete and ctrl+shift+esc) taskmanager started this way is created with

high integrity File->new task creates a process with

CreateProcess instead ofCreateRestrictedProcess

Fixed in later builds of Vista


10/48

Consent Prompts and Admin Brokers

Windows Explorer cant launch unrestrictedapps on its own Restricted Token Medium Integrity

AppInfo Admin Broker service (runs asLocalSystem)

RunAsAdminProcess consent.exe run by AppInfo

Creates process ImpersonateLoggedOnUser CreateProcessAsUser (not CreateProcess)


11/48

Security Token

User InAdministrators

GroupLocal

SecurityAuthority

StandardUser

Token

Full AccessConsent

Administrator

Credentials

User In

Users Group

Login

Login StandardUser

Token

FullAdministrator

Token


12/48

Service Isolation

Services use to exist in the same session

Vista Services run in Isolated Session 0 Services cant open dialogs on desktop

Neither can services marked interactive

Dialogs from interactive services areactually a Terminal Service Context

Consent Prompts? AppInfo runs consent in the users desktopsession with CreateProcessAsUser


13/48

File and Registry Virtualization

Why? Developers dont code applications

properly

Assume the need for admin privileges

Need to provide backwards compatibility

Need to provide separation and safety


14/48

Registry Virtualization

Implemented by kernel

Write attempts toHKEY_LOCAL_MACHINE\Software redirected to

HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software

Provides per-user settings in apps that usedregistry for storage.

Provides isolation between users.


15/48

File Virtualization

Implemented as a FS filter driver (luafv.sys) Example: Program files

Foo writes to c:\Program Files\foo\foo.ini Foo is running as unprivileged and fails Filter driver maps c:\Program Files\foo\foo.ini to per-

user virtualized area. %UserProfile%\AppData\Local\VirtualStore\C\Progra

~1\foo contains user-specific copy of foo.ini Certain executable types not virtualized (cmd, bat,

exe, dll, etc..) Provides isolation Provides per-user settings (in certain cases)


16/48

Low Rights IE Virtualization

Virtualization not done by FilterDriver, done by AppCompat shim dll

Why? Low integrity process cant even write to

the virtualized areas

Uses special broker applications for tasks


17/48

Low Rights IE Virtualization Components

User runs IEUser.exe (Med integrity)

IEUser.exe spawns IExplorer.exe

(Low Integrity) Any admin level requests handled by

IEInstall.exe


18/48

Ex-Possible Attacks

Low Integrity IE Approach

Medium Integrity

Method 1 Slight of Hand/Bait andswitch

Method 2 Slight of Hand/Bait andswitch


19/48

Low integrity IE Approach

Unknown IE Exploit allows injection ofarbitrary code

Code is run at low integrity Low integrity code can loopback on

localhost (gains default med integrity) Code can now insert files into the

filesystem eg. Virtualized start menustartup folder No longer valid as of Beta 2


20/48

Medium Integrity - Method 1

User expects consent prompt User is slow

User clicks through

Malicious app checks for all instancesof consent.exe

If called on behalf of spoof targetcopy our bad version over the goodone


21/48

Medium Integrity - Method 2

Global COM Objects HKEY_LOCAL_MACHINE\Software\Classes\CLSID

User Specific COM Objects

HKEY_CURRENT_USER\Software\Classes\CLSID

User objects have prescient over system Enumerate system COM objects

Create paths to malicious versions in

current_user No longer valid, only local_machine keys

are referred to for elevation


22/48

Kernel Mode Security

Booting Vista

Driver Signing

Patch Guard Secure Bootup

Restricted user-mode access to

\Device\PhysicalMemory


23/48

Booting Vista (Stage 1)

Locates and runs bootmgr for legacy PC/AT Bios andbootmgr.efi for an efi system

The Vista Boot Manager calls InitializeLibrary,which in turn calls BlpArchInitialize (GDT, IDT,

etc.), BlpTpmInitialize (TPM), BlpIoInitialize(file systems), BlBdInitialize (debugging),BlDisplayInitialize,

Boot.init replaced with BCD file Selects boot description and runs

BlImageLoadBootApplication Calls BlFveSecureBootUnlockBootDevice and

BlFveSecureBootCheckpointBootApp if Full VolumeEncryption is enabled.


24/48


WINLOAD.EXE replaces NTLDR.EXE asthe os loader

Performs many of the same tasks asbootmgr

Discovers disks and loads the hive

Loads OS Signed catalog


25/48

Booting Vista (Stage 2) cont.

Verifies its own integrity and that of othersystem files Does not boot if they dont match Will however boot if a debugger is attached

except on certain key files Loads appropriate driver for debugging

Usb Firewire Serial

Loads remaining drivers in order from thehive


26/48


Loads NTOSKRNL.EXE Responsible for code verification of

system drivers

Runtime checks (PatchGuard andCI.DLL)


27/48

Driver Signing

Windows Vista 64-bit edition only

All Kernel mode drivers must have a

class 3 cert Justification:

Stability less hackish code in kernel

Security Prevents root kits

Ulterior Motives: DRM protection


28/48

Driver Signing (Implementation)

WINLOAD.EXE - Boot driver checks

NTOSKRNL.EXE All other driver

(uses CI.DLL) Functions

MinCrypL_CheckSignedFile

MinCrypL_CheckImageHash

MinCryptK_FindPageHashesInCatalog


29/48


MinCrypL_CheckSignedFile Used by WINLOAD.EXE and CI.DLL Parses certificate to check validity

Checks certificate against a root certificate Hard coded list of 8 certificates in binary Adding certificates to system certificates

doesnt add to this list.

If certificate is signed by a root authority

validate it Parse public key info/RSA Public Key Convert the key to a Safe public key Verify signing according to PKCS1


30/48


MinCrypL_CheckImageHash Used by WINLOAD.exe Verifies driver matches images in the signed

catalog

Walks linked list of catalogs pointed to byg_CatalogList callingI_CheckImageHashInCatalog on each

MinCryptK_FindPageHashesInCatalog Used by CI.DLL Checks code pages of process or driver at

runtime. Binary searches for matching page hash in

ntpe.cat nt5.cat


31/48

Patch Guard

Can not be disabled Polls at 5-10 minute intervals to

verify kernel structures are intact SSDT (System Service Descriptor Table) GDT (Global Descriptor Table) IDT (Interrupt Descriptor Table)

System images (ntoskrnl.exe, ndis.sys,hal.dll) Processor MSRs (syscall)


32/48

Patch Guard (Implementation)

Uses Obfuscation and Misdirectionraise the bar

Example: Initialization

nt!KiDivide6432 (What does it do?) Throws divide processor exception

Patch Guard Initialization called inexception handler


33/48

Patch Guard (Implementation)

Initialization Creates random key

Creates random rotate number

Picks a fake memory pool tag Initializes memory

Zeroes it

Fills it with structures Encrypts structures in memory


34/48

Patch Guard (Attacks)

Exception Handler Hooking Verificationrelies on exceptions, hook the exceptionand turn it into a nop

KeBugCheckEX Hook When called check if

bug check code is 0x109 if so reset stackpointer and instruction pointer to thethread and carry on

Finding the timer Find the timer eventand remove it. Not reliable and not portablesince it uses an unexported address

Simulating Hotpatching Use the Hotpatchapi to trick windows


35/48

Secure Bootup

TPM Holds key used for full drive encryption

Takes measurments of boot items such asROM images and firmware images

Special boot code in TPM decrypts the bootloader

Boot loader asks for full drive encryptionkey from TPM

Boots the same as detailed in Booting Vista


36/48

Disabled user-mode access to\Device\PhysicalMemory

Started with Windows Server 2003SP1

Crazylord (p59-0x10) showed amethod for detecting bios root kitsusing \Device\PhysicalMemory


37/48

The End


38/48

Frame-Based Exception Handlers

Every thread in a Win32 Process has atleast one frame-based exception handler.

A list of EXCEPTION_REGISTRATION

structures can be found in the processsThread Environment Block at FS: [0]

Overwrite the exception handler with anaddress which will

pop regpop regret


39/48

Determining a valid handler

Handler can not exist on the stack(determined by TEB FS:[4] FS[8])

Checked against loaded modules

If the address exists outside of the bounds ofthese addresses it is ok to call? If the address exists inside these it is checked

against registered handlers. Checks a value in the PE header if it is set to

0x04 then the module is not allowed. Finally checks for a Load Configuration Directory

if missing function returns 0 and no other checksare done and handler is executed


40/48

Exploiting Frame-Based ExceptionHandling (Window 2003 Server)

Methods Exploit an existing handler that we can

manipulate to get us back into our buffer

Find a block of code in an address notassociated with a module that will get usback to our buffer

Find a block of code in the address spaceof a module that does not have a LoadConfiguration Directory


41/48

Exploiting an Existing Handler

NTDLL contains several registeredexception handlers

Only works the first time since

sensitive data is in predictable places

77F45A3F mov ebx,dword ptr [ebp+0Ch]

..

77F45A61 mov esi, dword ptr [ebx+0Ch]

77F45A64 mov edi, dword ptr [ebx+8]

..77F45A75 lea ecx, [esi+esi*2]

77F45A78 mov eax, dword ptr [edi+ecx*4+4]

..

77F45A64 call eax


42/48

Finding and exploiting a block ofcode not associated with a module

Windows 2003 Server Enterpriseedition contains such an address at0x7FFC0AC5. (pop pop ret)

Not usable since Standard additiondoes not have the same issue

However we can use the address ofour EXCEPTION_REGISTRATIONstruct in the form of a call or jumpesp+somevalue


43/48

Stack Protection and Windows 2003Server

Security Cookies Authoritative copy stored in the .data

segment

/GS Compiler Flag Reorders parameters

Places overflowable buffers close to

canary values


44/48

Heap Based Buffer Overflows

Handle to Win32 Heap throughGetProcessHeap() and through the PEB

HeapAllocate Win32 version of brk and

brk. Every heap starts with a struct andcontains pointers to the previous and nextblocks (similar to malloc).

Use Exception Handlers to overwritefunctions such as RtlAccquitePebLock() andRtlReleasePebLock() (Not Usable inWin2k3Server)


45/48

Heap Overflow Fun

The PEB in a process is fixed across allWinNT Versions.

Step1: Overflow heap to overwrite the PEB

+ 4 (Return address). Step2: Allow Program to segfault andterminate.

Step3: Sit back and watch ExitProcess runyour code for you. Make sure to set the pointer back or something

else could kill your process if its used elsewherein the code


46/48

Vectored Handlers

Similar in structure to Frame basedexception handlers.

Stored on the heap instead of stack

Executed before frame basedhandlers.


47/48


48/48

Other Aspects of Heap-BasedOverflows

COM Objects and the Heap COM Objects when instantiated are placed on the

heap A vtable is created to store function pointers for an

object and the object is stored above it in the

address space If you overflow an object you can possibly overwrite

the vtable of the object above you and redirect codeexecution.

Overflowing Program Control Data We dont always want to execute arbitrary code Some times we just want to change data on the heap

that controls the execution flow. Ex. Making a directory exposed by a web server

writable so anyone can write to it.

Vista Security

Documents

Transcript of Vista Security