BugTraq
Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups" Mar 21 2017 06:09PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

Windows 8 and newer versions (Windows 7 and Windows Server 2008 R2
with KB2532445 or KB3125574 installed too) don't allow unprivileged
callers to circumvent AppLocker and SAFER rules via

LoadLibraryEx(TEXT("<arbitrary DLL>"), NULL, LOAD_IGNORE_CODE_AUTHZ_LEVEL);

See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and <https://support.microsoft.com/kb/2532445>

| LOAD_IGNORE_CODE_AUTHZ_LEVEL 0x00000010
|
| If this value is used, the system does not check AppLocker rules
| or apply Software Restriction Policies for the DLL. This action
| applies only to the DLL being loaded and not to its dependencies.
| This value is recommended for use in setup programs that must
| run extracted DLLs during installation.
|
| Windows Server 2008 R2 and Windows 7:
| On systems with KB2532445 installed, the caller must be running
| as "LocalSystem" or "TrustedInstaller"; otherwise the system
| ignores this flag.

Unprivileged users can but bypass AppLocker or SAFER alias Software
Restriction Policies via

STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi = {0};
CreateProcess(TEXT("<arbitrary exe>"), NULL, NULL, NULL, FALSE,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL, NULL, NULL, &si, &pi);

on ALL versions from Windows XP to Windows 10!

See <https://msdn.microsoft.com/en-us/library/ms684863.aspx>

| CREATE_PRESERVE_CODE_AUTHZ_LEVEL 0x02000000
|
| Allows the caller to execute a child process that bypasses the
| process restrictions that would normally be applied automatically
| to the process.

Mitigation:
~~~~~~~~~~~

Create an "AppCert.Dll" that exports CreateProcessNotify and
set the following registry entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppCert.Dll"="<path>\AppCert.Dll"
...

Note: AppCertDlls are loaded at the first call of one of the
CreateProcess*() functions. Process creation is denied
if one of them returns STATUS_UNSUCCESSFUL from its
CreateProcessNotify() routine when called with the flag
PROCESS_CREATION_QUERY.

--- APPCERT.C ---
#pragma comment(linker, "/DLL")
#ifdef _WIN64
#pragma comment(linker, "/EXPORT:CreateProcessNotify,PRIVATE")
#else
#pragma comment(linker, "/EXPORT:CreateProcessNotify=_CreateProcessNotify@8,PRIVATE")
#endif
#pragma comment(linker, "/NOENTRY")

#include <windows.h>

#define PROCESS_CREATION_QUERY 1L
#define PROCESS_CREATION_ALLOWED 2L
#define PROCESS_CREATION_DENIED 3L

NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, ULONG ulReason)
{
NTSTATUS ntStatus = STATUS_SUCCESS;

switch (ulReason)
{
case PROCESS_CREATION_QUERY:
// called once for each process that is to be created
// return STATUS_SUCCESS to allow process creation or
// return STATUS_UNSUCCESSFUL to deny process creation

if (forbidden(lpApplicationName))
ntStatus = STATUS_UNSUCCESSFUL;

break;

case PROCESS_CREATION_ALLOWED:
// called once for each process that is allowed creation

...

break;

case PROCESS_CREATION_DENIED:
// called once for each process that is denied creation

...

break;

default:
;
}

// the return value is only used for PROCESS_CREATION_QUERY,
// all other conditions are ignored

return ntStatus;
}
--- EOF ---

stay tuned
Stefan Kanthak

Timeline:
~~~~~~~~~

2017-03-10 sent vulnerability report to vendor

2017-03-10 reply from vendor: MSRC case 37727 opened

2017-03-13 reply from vendor: product team is working on case

2017-03-21 reply from vendor:
"The product team has finished their investigation and
determined this will be serviced in a future version
of Windows. AppLocker bypasses are not serviced via
monthly security roll-ups; only major version updates."

2017-03-21 <https://support.microsoft.com/kb/2532445> but serviced
a bypass with a hotfix which was incorporated in later
security updates and is included in the "convenience"
rollup <https://support.microsoft.com/en-us/kb/3125574>

2017-03-21 reply from vendor:
"If you want this fixed immediately and are an
enterprise customer you'll need to work with your
Account Manager to open a support case."

2017-03-21 report published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus