Bad news for SRP/AppLocker

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Bad news for SRP/AppLocker

Post by apoptosis on 23/1/2011, 07:37

http://www.wilderssecurity.com/showthread.php?t=291467

Edit:Thanks for the reminder, Paul.


Last edited by apoptosis on 23/1/2011, 13:37; edited 2 times in total

apoptosis
Member
Member

Posts : 10
Join date : 2010-11-07

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 23/1/2011, 12:02

Didier Stevens wrote:16 is the value of flag LOAD_IGNORE_CODE_AUTHZ_LEVEL.

Thanks to a feature Microsoft included by design, I can circumvent SRP and load my DLL.
As if the folder exemptions [where those who are supposed to be restricted can write and execute forbidden executables] weren't enough, we still have this backdoor. What's next? You may call me paranoid, but my guess is that for every "security" mechanism MS builds in, at least 5-10 intended bypass mechanisms exist.

@ apoptosis:

It's best to always strip off the session id from links you give, like this:
Code:
http://www.wilderssecurity.com/showthread.php?t=291467 (without the "s=xxx&" part
especially if you are registered there. Not all "security" boards have good protection in place and someone may hijack your session by clicking on a link with a sid.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 23/1/2011, 13:44

Hopefully there'll be a POC to test some time in the future, although I'm finding it less and less interesting - there was already a "bypass" mechanism for SRP/AppLocker released publically in 2008. Another publically released method of "bypassing" SRP/AppLocker isn't going to make much difference from the point of view of home users implementing its protection.

Anyway, I'm struggling to understand exactly what needs to happen in order for the DLL to load. Clearly, new code needs to get on to the (REAL) system somehow and then needs to run/execute. It sounds like (aside from taking advantage of specific exploits at the right time) it still requires eg. Macros to be enabled in Microsoft Excel?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 23/1/2011, 14:22

ssj100 wrote:Anyway, I'm struggling to understand exactly what needs to happen in order for the DLL to load. Clearly, new code needs to get on to the (REAL) system somehow and then needs to run/execute. It sounds like (aside from taking advantage of specific exploits at the right time) it still requires eg. Macros to be enabled in Microsoft Excel?
LoadLibraryEx Function
Since Didier Stevens is a VAB specialist, his bypass will work with VAB Macros, but I think ANY type of file could contain such instructions. This value seems to have been specifically designed for use in setup programs that must run extracted DLLs during installation (SRP is not supposed to interfere with that), but can, of course, like anything else, be used for other purposes...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 23/1/2011, 14:26

Nice, this might be quite interesting after all haha. Hopefully Didier or someone else will release a working POC that doesn't involve Macros etc.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 23/1/2011, 14:59

ssj100 wrote:Nice, this might be quite interesting after all haha.
Especially Microsoft's instructions for programmers are quite funny in this respect... Very Happy
MS wrote:Do NOT use the SearchPath function to retrieve a path to a DLL for a subsequent LoadLibraryEx call. The SearchPath function uses a different search order than LoadLibraryEx and it DOESN NOT USE SAFE PROCESS SEARCH MODE unless this is explicitly enabled by calling SetSearchPathMode with BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE. Therefore, SearchPath is likely to first search the user’s current working directory for the specified DLL. If an attacker has copied a malicious version of a DLL into the current working directory, the path retrieved by SearchPath will point to the malicious DLL, which LoadLibraryEx will then load.
It goes without saying that if you do exactly what MS warns against, you make it very easy for hackers to launch a successful and effective attack, because most programmers program for convenience and not with security in mind, and don't even bother reading the documentation. Actually, MS itself breaks its own rules regularly. That's what Didier proves time and again. Add to that, that the "Current Directory" may be located in ANY dark territory in the world and that the Web Client service is on by default, and you have a beautiful scheme for terror. Nobody might even notice. I mean: how did they get Stuxnet in? Seems like an impossible feat, but when you come to think of it, it's actually quite easy if you know how the system works...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by Sadeghi85 on 25/1/2011, 01:12

http://www.wilderssecurity.com/showthread.php?p=1817695 Sad

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by apoptosis on 25/1/2011, 03:20

Considering how trivial SRP bypass now seems, one wonders why it took 10 years to surface.

apoptosis
Member
Member

Posts : 10
Join date : 2010-11-07

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 25/1/2011, 08:29

That's a good point. But I suspect the reason is similar to why we don't see in-the-wild malware making use of this bypass.

For me personally, these documented bypasses don't affect me at all. "LUA + SRP" are effectively windows tweaks and it's not like I'm paying for them - they already came built into my system! Even if 99% of malware can bypass it, I would still keep using it for the extra 1% protection, as it doesn't cause any slow-down or conflicts.

However, as it stands now (and seemingly for the last 10 years), we have not seen malware in-the-wild bypass SRP. So until we do, it's nothing to get worried about, especially from the home user's point of view. And of course, if you're relatively paranoid, you can always add something like Sandboxie! When used correctly and to its potential, I suspect even the most extreme of security purists would be pleased haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 25/1/2011, 09:45

By the way, just a few musings (arguably off topic) in response to some posters in that Wilders thread:

http://www.wilderssecurity.com/showpost.php?p=1817814&postcount=13
Sandboxie been 'bypassed' too in the past although I'm not so sure what it was. It has been patched though.
Which security software has never been bypassed? Also, how many times has Sandboxie been (publically) genuinely bypassed in the last 2 years that required specific patching? Compare this number (I think it's something like one haha) to any other third party security software - it will be more. Also, these Sandboxie "bypasses" often required very specific user configurations to be in place.
And then, there's issues where Sandboxie did not work for some reason....sometimes conflict with other security software (Comodo, SpyShelter, PC Tools Firewall, etc,...check the forums), system setup (a previous build conflicted with SRP) or unexpected circumstances like this...

E.g.16-bit installer runs outside of sandbox
And who's fault is it that you're running more security software than you really "need"? Anyway, which security software has never had conflicts? Regardless, tzuk is quick to patch most of these conflicts. All programs will have "bugs", and with each new version, the potential for more bugs is always renewed. This certainly does not just apply to security software.

And by the way, neither myself, nor respected members like "nick s" ever confirmed that the "16-bit installer" ran outside the sandbox:
http://www.sandboxie.com/phpbb/viewtopic.php?p=47085#47085
Not to mention that Sandboxie has design flaws. Sandboxie doesn't do anything to protect you once you recover something out of the sandbox.
That's not a design flaw at all - it's a feature haha. And I still find it galling that these security conscious people who like Sandboxie appear not to understand the ease and flexibility of using a sandboxed "explorer.exe" - I've even posted a video (or two!) about this.

http://www.wilderssecurity.com/showpost.php?p=1817852&postcount=15
As mentioned, what is in the sandbox is fine, but at some point you must let things out of the sandbox.

Once they are out of the sandbox, all bets are off.
What's wrong with letting things out of the sandbox? It's not like they will execute by themselves. As I've demonstrated in a video, you can even safely recover a file and still browse and open it sandboxed, thus also containing malware that executes without having to open the file.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 25/1/2011, 10:50

apoptosis wrote:one wonders why it took 10 years to surface.
I don't think it took that long. On the one hand, for those who want to plant in State backdoors, this has been known from the very beginning; I'm quite sure that MS delivers its creations with clear instructions for the forensics guys. On the other hand, for the Underground it is just not economically feasible yet to build in SRP bypass functionality in their malware while the majority of Windows users lives without SRP.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 25/1/2011, 13:07

http://www.wilderssecurity.com/showpost.php?p=1817955&postcount=19
Yes, true, you can do that. But at some point, you surely must admit that you want to commit something "new" to your system, so that it resides (if wanted) in all sandboxes, in any situation. I know I do. If I have found a few new "tools" to use, I want to install them to the real system and have them in my latest image. This is where you must now "know" the said "new thing" is to be trusted.
Not sure what this has to do with Sandboxie, LUA/SRP/AppLocker or any other external security mechanism. If you're wanting to install something on your REAL system, you can only hope that it's not malicious. Nothing can save you from directly and intentionally installing malicious code (presumably with Administrator rights). One can reduce the probability of this occurring by using the stuff between one's ears. Always best to do byte for byte image back-ups before installing any "new" software anyway.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 25/1/2011, 13:19

ssj100 wrote:http://www.wilderssecurity.com/showpost.php?p=1817955&postcount=19
Yes, true, you can do that. But at some point, you surely must admit that you want to commit something "new" to your system, so that it resides (if wanted) in all sandboxes, in any situation. I know I do. If I have found a few new "tools" to use, I want to install them to the real system and have them in my latest image. This is where you must now "know" the said "new thing" is to be trusted.
Not really an argument at all. General safe-hex rules will protect you from such non-threats. I have never used a sandbox and I'm alive and well. Either you know what you launch or you don't launch it. As a matter of fact, if it's unknown, you make sure that it doesn't get onto your computer at all. That's it. On-line drive-by mechanisms can be easily blocked with simple measures.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 25/1/2011, 13:29

p2u wrote:I have never used a sandbox and I'm alive and well.
Haha, yes well, I'm sure even if you didn't use any "tweaks" at all, you would still be alive and well. I've personally never come across any malware unexpectedly.
p2u wrote:Either you know what you launch or you don't launch it. As a matter of fact, if it's unknown, you make sure that it doesn't get onto your computer at all.
The problem with this is that it's hard to know what's "known" and what's "unknown" or what's "safe" and "unsafe". If a friend sends me an attachment in an e-mail, is that "known" or "unknown"? Hence the reason for using a sandbox to open it. There are many other examples, including downloading and opening documents from less known or dodgy sites, or plugging in a "friend's" USB drive to browse, copy and open files etc. It's all about what you want to do (or what is required of you). The most secure computer user is the one who never turns on his/her computer haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 25/1/2011, 14:08

ssj100 wrote:The problem with this is that it's hard to know what's "known" and what's "unknown" or what's "safe" and "unsafe".
Download source? Virustotal? Hash checking? Comments and reactions of professional people you know you can trust?

ssj100 wrote:If a friend sends me an attachment in an e-mail, is that "known" or "unknown"? Hence the reason for using a sandbox to open it.
I don't know about your friends, but my friends know my policy: I will NEVER open an attachment if they haven't warned me in advance [as a rule on the phone] that they were planning to send me one.

ssj100 wrote:downloading and opening documents from less known or dodgy sites
It is safe-hex NOT not do that, unless you want to test something (such as how good Sandboxie is). Unless I get the link from professional friends (from the GRC discussion group, for example), I won't open anything unknown.

ssj100 wrote:or plugging in a "friend's" USB drive to browse, copy and open files etc.
Nobody can plug in anything on my system unless he/she knows the admin password. Autorun and autoplay are safely disabled. Besides, I can't remember when I last performed such an action. Probably never.
P.S.: I'm not arguing against Sandboxie or virtualization; those are good for testing if you like that. Personally, I'm bored with such tests and prefer to sharpen my mind, not relying on technology too much. I'm pretty confident that if a hacker doesn't get physical access to my machine, he won't be able to get in.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 25/1/2011, 14:14

Just a quick note to say that you make valid points, but appear to have missed some that I made (the most important being that I wasn't really addressing you haha). Not everyone will have "friends" like yours, and many/most people will frequently open files from dodgy/unknown sources or browse, copy and open files from dodgy/unknown USB drives. It's just how it goes. Some people's jobs require that they do such things. Students need to do this a lot. Also, how can you know that ALL your friends and relatives, your wife, your kids etc will send you a "safe" e-mail attachment? They may have good intentions, but they may be unaware that they have been infected or that the file they sent contains malicious code. Not everyone is as security conscious as you might be. And not everyone has the freedom or mind-set to ONLY open files from absolutely known/trusted sources. In fact, you're probably the only one I "personally" know of haha.

Your security setup/approach works for you, but I doubt it would be convenient/accepted for 99.99% of people out there. Sully's posts were heavily laden with what to recommended others. He even said that Sandboxie was fairly easily understood. I suppose with Sandboxie, you get the luxury of being more "free" with what you can do (while keeping security levels relatively high) and it appears to be more widely accepted than eg. not visiting that "dodgy site" or never plugging in a "customer's", "friend's", or "family member's" USB drive. That's what I (and many others) find.

And again, as you have once more emphasised, using the stuff between our ears is probably the best security mechanism of them all.

EDIT: by the way, I know I started it here haha, but it would be great if we instead used this thread for similar exchanges:
http://ssj100.fullsubject.com/t6-discuss-security-setups-and-approaches-here
For some reason, no one wants to use that thread!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 25/1/2011, 15:02

I'll repeat it: Sandboxie *is* good. And SRP is good. And LUA is good. Another benefit is that, for the time being, they are not standard. Actually, I think that on hacker-forums they will only look into trying to bypass those solutions if you make it attractive enough and pay really good money. I mean: force EVERYBODY with a governmental order to use them and you'll see real-world bypasses appear like cockroaches.
For me one thing is clear: You cannot rely on technology to protect you, but shutting yourself off from the Internet completely is not the ultimate solution. And you cannot rely on yourself or on others to always do everything right. But the nightmare scenarios marketing people make up are just what they are: marketing. It will probably never happen.
P.S.: For children there is the in-built Parental Controls feature by the way (Vista and Win7). You can agree with them on a white list of sites to visit and everything else will be blocked. Actually, I'm now testing this solution on myself to see what the degree of frustration is. For the time being, I like it a lot... Very Happy

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 25/1/2011, 15:09

Well mate, it's easy to say anything is possible. Until we see such real-world bypasses, we won't know for sure. Regardless, security through obscurity is a great thing isn't it? But yes, it'd be silly to completely "rely" on technology. However, technology can help us to be very secure while maintaining some semblance of convenience.

Good luck "controlling" kids as they get older haha. Jokes aside, does the Parental Controls feature have the same issue of being "bypassed" as SRP/AppLocker?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 25/1/2011, 15:34

ssj100 wrote:Good luck "controlling" kids as they get older haha.
Yeah. Besides, they can always boot from a Live-CD, right? Very Happy
ssj100 wrote:Jokes aside, does the Parental Controls feature have the same issue of being "bypassed" as SRP/AppLocker?
Yes, it does. Microsoft's sites are exempted, of course, and it doesn't seem to block https, at least in Firefox. Maybe this has to do with the signature trouble in Firefox, I don't know. Parental Controls is probably out as far as I'm concerned. If make Google "white", then the kids can go to "black" sites through Google's cache. Very Happy
The only interesting feature in Parental Controls is the "Block file downloads" feature. For example: they may go anywhere, but file download is not allowed. I'll see how that works. Hope it only applies to executables, and not to all file types (would be too much of a hassle). If that's the case, then I'll see if exceptions can be configured per site.
P.S.: I'm now thinking of testing Proxomitron and Privoxy (both are free). Besides offering NoScript/Adblock Plus functionality, they also provide the possibility of whitelisting sites system-wide for all browsers. Another possibility would be to set the whitelist in the firewall, but I'm sure that will cause some kind of buffer overflow if the list of allowed sites gets too big... Very Happy

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by p2u on 25/1/2011, 19:02

p2u wrote:The only interesting feature in Parental Controls is the "Block file downloads" feature. For example: they may go anywhere, but file download is not allowed. I'll see how that works. Hope it only applies to executables, and not to all file types (would be too much of a hassle). If that's the case, then I'll see if exceptions can be configured per site.
Tested. That's not an option:
1) Letting Parental Controls monitor Internet traffic slows my Firefox down to a halt (Vista);
2) All file type downloads are prohibited; couldn't find a way to exclude anything. This may easily widen the generation gap and even lead to divorce. Very Happy

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by wat0114 on 27/1/2011, 07:33

p2u wrote:
I don't know about your friends, but my friends know my policy: I will NEVER open an attachment if they haven't warned me in advance [as a rule on the phone] that they were planning to send me one.

Good, old fashioned picking up the telephone and calling to confirm. this is an excellent way to confirm the integrity of an attachment!

BTW, ssj, I like your above responses on the Sandboxie quotes doubting its effectiveness against malware Smile

Oh, and apparently Sandboxing fails according to this post: -http://www.wilderssecurity.com/showpost.php?p=1818903&postcount=2 I thought you confirmed Sandboxie will contain this type exploit. Is it true, ssj? Thanks!

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 27/1/2011, 08:28

wat0114 wrote:Oh, and apparently Sandboxing fails according to this post: -http://www.wilderssecurity.com/showpost.php?p=1818903&postcount=2 I thought you confirmed Sandboxie will contain this type exploit. Is it true, ssj? Thanks!
That link doesn't work for me. But I think I know what you're talking about. Basically you've mis-interpreted his comments. Sandboxie does contain such malware, but it would (probably) fail against targeted kernel level exploits (as per tzuk). But then tzuk also says that no security software would be able to protect against this anyway.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by wat0114 on 27/1/2011, 08:42

No wonder, the post is removed. I don't feel I misinterpreted his comments, as I seem to remember the direct implication was it fails, when it's not completely the case. If Sandboxing contains it, then it seems to be doing its job.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 27/1/2011, 08:56

From memory, his sentences were quite "busy" and quite easy to mis-interpret. I think he was saying that if malware executed in memory and somehow subsequently used a kernel level exploit to propagate itself, then even Sandboxie would be bypassed.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by wat0114 on 27/1/2011, 09:06

ssj100 wrote: I think he was saying that if malware executed in memory and somehow subsequently used a kernel level exploit to propagate itself, then even Sandboxie would be bypassed.

Okay, assuming it's what was said, then doesn't this mean the malware would have to have been executed outside the sandbox, in which case how can one expect the sandbox to do its job? Is this not true or am I missing something obvious?

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum