Bad news for SRP/AppLocker

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 27/1/2011, 09:08

Have a read here:
http://www.sandboxie.com/phpbb/viewtopic.php?p=53604#53604
Far less frequently, there are buffer overflow exploits in kernel mode code, that is in Windows core, or maybe some third party driver. This is very different from simple buffer overflow exploits in that no security software can really do anything about this.
I'm not a hacker, and I don't think tzuk is either. It's mostly speculation I think, but it's probably not quite in the realm of fantasy.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by wat0114 on 27/1/2011, 09:27

Okay, thank you for that. I was looking in the SB forum for a discussion but couldn't find it. It's interesting where Tzuk states:
Clearly every additional piece of software that you introduce to your system adds more security risks.
MS has a beta application that tests for these type 3rd party-introduced vulnerabilities.

-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 27/1/2011, 09:31

Yes, I've read about that MS application. Would be nice to see what people think of that.

And yes, I personally try to minimise the number of third party software I install on my system (not just security software).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by RichieB on 2/2/2011, 13:50

There is now a POC using VBA that works for loading executables that have been forbidden by AppLocker/SRP.

RichieB
New Member
New Member

Posts : 7
Join date : 2011-02-01

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 2/2/2011, 13:54

Any chance you could provide clear step by step instructions to reproduce the bypass with that POC? I tried to use it a few days ago but gave up quickly haha. Step by step instructions would be great.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by RichieB on 2/2/2011, 15:23

1) In an MS Word document, type in the path to an executable that is not allowed by SRP/AppLocker. For example: C:\test.exe
2) Select the text you just typed, in this example select "C:\test.exe" without the newline
3) Press Alt+F11 (brings up VBA editor)
4) Right mouse button on "Normal" -> Insert -> Module
5) Paste the content of runexe.txt into the new module
6) Place the cursor inside the Sub RunExe()
7) Press F5 (runs macro)

RichieB
New Member
New Member

Posts : 7
Join date : 2011-02-01

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 2/2/2011, 15:36

Thanks a lot for that. Good work. Would be great if this could be applied to other scenarios (not just Macros). Cheers.


Last edited by ssj100 on 2/2/2011, 15:38; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by Ruhe on 2/2/2011, 15:38

Thanks for this howto. Easy if you know how to do it.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by ssj100 on 2/2/2011, 15:43

I wonder if it's possible for this POC to be applied to software vulnerabilities? For example, it would be interesting if someone could code this POC into the latest VLC Media Player vulnerability?

I wonder if this POC bypasses UAC?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by RichieB on 2/2/2011, 17:08

The test.exe will be started with normal user rights. UAC is never triggered (nor bypassed).

RichieB
New Member
New Member

Posts : 7
Join date : 2011-02-01

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by Stephen2 on 4/2/2011, 14:31

Oops.. Just read the first few posts and coded up the exploit using VB. Confirmed it works!

Not really being "hacker" minded, I don't know what to do next to create a real POC, as the one I coded relies on having an EXE installed in your system.

Then running it as limited user from an Applocker allowed directory - the exploit is confirmed because it can load my DLL from a non-allowed directory...

Anyone want to tell me what to code up next? We can try and make a cool POC...

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Bad news for SRP/AppLocker

Post by Sponsored content


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum