Comments on: Limitations of Software Restriction Policies https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html Just another WordPress site Mon, 29 Mar 2010 15:19:20 +0000 hourly 1 https://wordpress.org/?v=6.7.1 By: Cd-MaN https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-163 Mon, 29 Mar 2010 15:19:20 +0000 https://grey-panther.net/?p=618#comment-163 @Anonymous: yes, SRP definitely covers WinExec (if my memory serves right, WinExec and ShellExecute are both in fact wrappers around CreateProcess). So yes, SRP will filter WinExec.

BTW, next time you leave a comment, you might consider logging in, since the URL you specify for your username will be linked from my blog without nofollow (ie. with "follow").

Regards.

]]>
By: Anonymous https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-165 Mon, 29 Mar 2010 15:16:40 +0000 https://grey-panther.net/?p=618#comment-165 Random thought here: SAFER/SRP monitors ShellExecute and CreateProcess. But what about WinExec? Some shellcodes use WinExec instead of ShellExecute or CreateProcess. Will SRP see processes that are started using WinExec which is a legacy function from before WinXPdays? Will SRP block execution with WinExec? Thx

]]>
By: Anonymous https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-357 Thu, 09 Jul 2009 18:44:20 +0000 https://grey-panther.net/?p=618#comment-357 Thanks for the tip! I don't write a blog of my own though, I prefer to read blogs written by people who are smarter than me and learn from them. =)

]]>
By: Cd-MaN https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-358 Thu, 09 Jul 2009 14:55:06 +0000 https://grey-panther.net/?p=618#comment-358 @Anonymous: thank you for sticking around for the discussion. One note: if you specify a name/url when posting the comment, you will get a free link from my blog to the given site, since I removed the "nofollow" attributes from the comment name links (but I moderate comments to keep off spam).

(And if I find the linked blog interesting – supposing that it is a blog – I will most probably subscribe to it :-))

]]>
By: Anonymous https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-359 Wed, 08 Jul 2009 11:16:39 +0000 https://grey-panther.net/?p=618#comment-359 Yes, vigilance or awareness or whatever we choose to call it is the key. Keeping eyes open. That's why I read blogs like yours. 😉 Before the gpdisable demo by Russinovich, and then later what I found in this blog and in Didier Stevens' blog, I had never seen any actual software to bypass SRP. I knew it had some methods to bypass it, like setting the trustlevel to unrestricted with runas.exe, but I had never seen anyone actually do anything with those methods or develop more advanced methods. So this is interesting stuff!

Even after these new discoveries about bypassing SRP though, I don't think anyone has ever publicly reported seeing SRP-bypassing malware in the wild, even malware only used in targeted attacks. I've never seen any malware that makes even an attempt to bypass SRP. The few targeted attacks I have seen had no method to bypass SRP. Most were just attempts to exploit new Adobe Reader vulnerabilities by sending personalized and very legit looking email with a PDF attachment to people in the company that deal with PDF files all the time. So I think I'll agree with you that SRP still provides pretty good protection agains malware. =)

]]>
By: Cd-MaN https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-360 Wed, 08 Jul 2009 06:43:37 +0000 https://grey-panther.net/?p=618#comment-360 I certainly see the value in trying to be as secure as possible. In fact, using SRP by itself, without additional hardening measures, would keep 99.99% of all currently existing malware off the system (because they are not created to deal with SRP).

My point is that it still can be bypassed, and one needs to be vigilant at all times if one wants to maintain security.

]]>
By: Anonymous https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-361 Tue, 07 Jul 2009 19:11:27 +0000 https://grey-panther.net/?p=618#comment-361 Yes, it is a shame that limited users can bypass SRP with some methods. But I believe in trying to make that as hard as possible for those that would try it. 😉

For example, it would not be difficult to confirm if you have macro-capable software or PowerShell installed on systems, and then take actions to limit exposure IOW disable that stuff if at all possible.

Vulnerabilities are a more difficult case, but keeping up with the patches often helps, as the real zero-days are a minority. Many attacks attempt to exploit vulnerabilities that have had a patch out for a long while.

I really do wish that M$ can take SRP into the kernel in the future, so bypassing it can be made more difficult.

Re. the executable code, a lot of stuff is executable, but that goes for Linux too. From window managers to Adobe Flash or Open Office many Linux apps have arbitrary code exec vulnerabilities that could be exploited to execute stuff that some wouldn't realize was executable in the first place. I don't know of any OS that can avoid stuff like that.

Great analysis and blog though. =) Interesting reading. Keep up the good work!

]]>
By: Cd-MaN https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-362 Tue, 07 Jul 2009 15:30:27 +0000 https://grey-panther.net/?p=618#comment-362 @Anonymous:

the main point is that any kind of executable code of any privilege level (ie. even limited user) can bypass the SRP. As for limiting the possible exploitation paths – they are quite a few (and these are only the ones which come to mind):

– other applications might have macro capabilities installed which don't have an option to disable it or the option isn't set (relying on non-default settings being set is not a very good method). Example: OpenOffice, CorelDraw, etc

– the same patching is most likely possible from PowerShell (which nowadays gets installed by Windows Update)

– there are a lot of exploits in widely-used third-party products (like Flash, Acrobat Reader, etc) which result in arbitrary code execution

– just these days a new arbitrary code execution vulnerability for some MS ActiveX component has been disclosed

(You might also want to check out my post What is an executable file anyway?)

My point is: there are numerous ways to get executable code on your system, and it is very hard to guarantee that none of those apply to your environment (unless you run Linux :-p).

]]>
By: Anonymous https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-368 Sun, 05 Jul 2009 16:01:45 +0000 https://grey-panther.net/?p=618#comment-368 Interesting stuff! Shame that I found this blogpost only so long after it was made…

About these bypassing techniques, though…

The runas method is obviously very easy to prevent by blocking runas.exe in the policy by hash & path.

The method of using Office macros to load a DLL or directly edit the Excel process is also easy to prevent by setting macro security to high.

How about the other methods, though?

Alternative bypass 1, or in-process patching of the SRP check routine? How would one perform in-process patching? Wouldn't you first have to execute code through scripting like Office macros, for example, which is easy to prevent, or by exploiting a bug that allows you to run arbitrary code?

How would one be able to use Alternative bypass 2 or NTCreateProcess to bypass SRP? Wouldn't that require that you could first execute some code and then use that code to NTCreateProcess what you wanted? And wouldn't the initial code execution be preventable, either by SRP or by script language security settings such as the Office macro security settings?

Point is, aren't these methods of attacking SRP rather extremely limited, in that they are mostly preventable?

]]>
By: Anonymous https://grey-panther.net/2008/10/limitations-of-software-restriction-policies.html#comment-639 Thu, 30 Oct 2008 15:04:46 +0000 https://grey-panther.net/?p=618#comment-639 Very nice, patching machine code from VBA! Has anybody ever coded a disassembler/assembler in VBScript? 😉 This way, we could make our VBA code less DLL-version dependent.

And you're absolutely right: I've said it before, and maybe I should stress this more, but it's not because there is a way to bypass a protection mechanism, that said protection mechanism becomes useless.
GPOs & SRPs are still very useful, certainly from preventing extra helpd-esk support for users who continually "tune" their configuration.

IMHO, these techniques will only be used in a targetted attack/penetration testing scenario.

]]>