Windows Vista Security

1
Windows Vista Security
2
User Mode Security

• User Account Protection (UAP)
• Mandatory Integrity Control(MIC)
• UI Privlilege Isolation (UIPI)
• Restricted Process
• Unrestricted Process (Elevation)
• Standard methods
• The Legacy Shell Trick
• Consent Prompts and Admin Brokers
• Service Isolation
• File and Registry Virtualization
• Registry Virtualization
• File Virtualization
• Low Rights IE Virtualization
• Possible Attacks

3
User Account Protection (UAP)

• Limited User Accounts
• Standard user accounts preferred
• Problem software isnt always written for
  Standard user accounts
• Administrators start as Protected
• Runs programs with minimal privileges
• Must authenticate protected actions
• Can run programs unrestricted Unprotected

4
Mandatory Integrity Control(MIC)

• Every securable object has an Integrity
• Children inherit integrity parents
• Interactions exist at equal or lesser integrity
• Higher integrity can act on lower through certain
  functions
• Any interaction allowed through IPC (BAD)
• Lower Integrity server can impersonate higher
  integrity. (ImpersonateNamedPipeClient)

5
Mandatory Integrity Control Levels
6
UI Privilege Isolation (UIPI)

• Added to prevent Shatter attacks
• LI process cant send messages to a HI Process
• SendMessage
• PostMessage
• LI process cant hook into a HI process
• SetWindowsHookEx
• SetWinEventHook

7
Restricted Process

• How is it restricted
• Security token normally has all privileges
• Some are disabled (Ignored during permission
  checks)
• Process can re-enable them
• Security token created with less privileges
  (CreateRestrictedToken)
• Some privileges removed
• Some privileges marked deny only
• Group used for deny only
• Explicit denials for group propagate
• Explicit allows do not

8
Unrestricted Process (Elevation)

• Process are run elevated when
• Process is a .msi or .exe and a registered
  installer
• Process exists in app compatibility database
• Proper registry with entry value RUNASADMIN
• ltapplication_namegt.sbd created by CompatAdmin.exe
• Aplication Manifest (ltappnamegt.exe.manifest)
  contains requestedExecutionLevel of
  requireAdministrator
• User right clicks executable and clicks Run
  Elevated from explorer
• Executed by an already privileged process

9
The Legacy Shell Trick

• Kill explorer from taskmanager.exe and restart it
  with file-gtnew task
• New shell running with highest integrity
• Why does this work?
• WinLogon.exe handles Secure Attention Sequence
  (ctrlaltdelete and ctrlshiftesc)
• taskmanager started this way is created with high
  integrity
• File-gtnew task creates a process with
  CreateProcess instead of CreateRestrictedProcess
• Fixed in later builds of Vista

10
Consent Prompts and Admin Brokers

• Windows Explorer cant launch unrestricted apps
  on its own
• Restricted Token
• Medium Integrity
• AppInfo Admin Broker service (runs as
  LocalSystem)
• RunAsAdminProcess
• consent.exe run by AppInfo
• Creates process
• ImpersonateLoggedOnUser
• CreateProcessAsUser (not CreateProcess)

11
Security Token
Standard User Token
Full Administrator Token
User In Administrators Group
Local Security Authority
Full Access Consent
Login
Standard User Token
Administrator Credentials
User In Users Group
Login
12
Service Isolation

• Services use to exist in the same session
• Vista Services run in Isolated Session 0
• Services cant open dialogs on desktop
• Neither can services marked interactive
• Dialogs from interactive services are actually a
  Terminal Service Context
• Consent Prompts?
• AppInfo runs consent in the users desktop
  session with CreateProcessAsUser

13
File and Registry Virtualization

• Why?
• Developers dont code applications properly
• Assume the need for admin privileges
• Need to provide backwards compatibility
• Need to provide separation and safety

14
Registry Virtualization

• Implemented by kernel
• Write attempts to HKEY_LOCAL_MACHINE\Software
  redirected to HKEY_CURRENT_USER\Software\Classes\V
  irtualStore\MACHINE\Software
• Provides per-user settings in apps that used
  registry for storage.
• Provides isolation between users.

15
File Virtualization

• Implemented as a FS filter driver (luafv.sys)
• Example Program files
• Foo writes to c\Program Files\foo\foo.ini
• Foo is running as unprivileged and fails
• Filter driver maps c\Program Files\foo\foo.ini
  to per-user virtualized area.
• UserProfile\AppData\Local\VirtualStore\C\Progra
  1\foo contains user-specific copy of foo.ini
• Certain executable types not virtualized (cmd,
  bat, exe, dll, etc..)
• Provides isolation
• Provides per-user settings (in certain cases)

16
Low Rights IE Virtualization

• Virtualization not done by Filter Driver, done by
  AppCompat shim dll
• Why?
• Low integrity process cant even write to the
  virtualized areas
• Uses special broker applications for tasks

17
Low Rights IE Virtualization Components

• User runs IEUser.exe (Med integrity)
• IEUser.exe spawns IExplorer.exe (Low Integrity)
• Any admin level requests handled by IEInstall.exe

18
Ex-Possible Attacks

• Low Integrity IE Approach
• Medium Integrity
• Method 1 Slight of Hand/Bait and switch
• Method 2 Slight of Hand/Bait and switch

19
Low integrity IE Approach

• Unknown IE Exploit allows injection of arbitrary
  code
• Code is run at low integrity
• Low integrity code can loopback on localhost
  (gains default med integrity)
• Code can now insert files into the filesystem eg.
  Virtualized start menu startup folder
• No longer valid as of Beta 2

20
Medium Integrity - Method 1

• User expects consent prompt
• User is slow
• User clicks through
• Malicious app checks for all instances of
  consent.exe
• If called on behalf of spoof target copy our bad
  version over the good one

21
Medium Integrity - Method 2

• Global COM Objects
• HKEY_LOCAL_MACHINE\Software\Classes\CLSID
• User Specific COM Objects
• HKEY_CURRENT_USER\Software\Classes\CLSID
• User objects have prescient over system
• Enumerate system COM objects
• Create paths to malicious versions in
  current_user
• No longer valid, only local_machine keys are
  referred to for elevation

22
Kernel Mode Security

• Booting Vista
• Driver Signing
• Patch Guard
• Secure Bootup
• Restricted user-mode access to \Device\PhysicalMem
  ory

23
Booting Vista (Stage 1)

• Locates and runs bootmgr for legacy PC/AT Bios
  and bootmgr.efi for an efi system
• The Vista Boot Manager calls InitializeLibrary,
  which in turn calls BlpArchInitialize (GDT, IDT,
  etc.), BlpTpmInitialize (TPM), BlpIoInitialize
  (file systems), BlBdInitialize (debugging),
  BlDisplayInitialize,
• Boot.init replaced with BCD file
• Selects boot description and runs
  BlImageLoadBootApplication
• Calls BlFveSecureBootUnlockBootDevice and
  BlFveSecureBootCheckpointBootApp if Full Volume
  Encryption is enabled.

24
Booting Vista (Stage 2)

• WINLOAD.EXE replaces NTLDR.EXE as the os loader
• Performs many of the same tasks as bootmgr
• Discovers disks and loads the hive
• Loads OS Signed catalog

25
Booting Vista (Stage 2) cont.

• Verifies its own integrity and that of other
  system files
• Does not boot if they dont match
• Will however boot if a debugger is attached
  except on certain key files
• Loads appropriate driver for debugging
• Usb
• Firewire
• Serial
• Loads remaining drivers in order from the hive

26
Booting Vista (Stage 3)

• Loads NTOSKRNL.EXE
• Responsible for code verification of system
  drivers
• Runtime checks (PatchGuard and CI.DLL)

27
Driver Signing

• Windows Vista 64-bit edition only
• All Kernel mode drivers must have a class 3 cert
• Justification
• Stability less hackish code in kernel
• Security Prevents root kits
• Ulterior Motives
• DRM protection

28
Driver Signing (Implementation)

• WINLOAD.EXE - Boot driver checks
• NTOSKRNL.EXE All other driver (uses CI.DLL)
• Functions
• MinCrypL_CheckSignedFile
• MinCrypL_CheckImageHash
• MinCryptK_FindPageHashesInCatalog

29
Driver Signing (Implementation)

• MinCrypL_CheckSignedFile
• Used by WINLOAD.EXE and CI.DLL
• Parses certificate to check validity
• Checks certificate against a root certificate
• Hard coded list of 8 certificates in binary
• Adding certificates to system certificates
  doesnt add to this list.
• If certificate is signed by a root authority
  validate it
• Parse public key info/RSA Public Key
• Convert the key to a Safe public key
• Verify signing according to PKCS1

30
Driver Signing (Implementation)

• MinCrypL_CheckImageHash
• Used by WINLOAD.exe
• Verifies driver matches images in the signed
  catalog
• Walks linked list of catalogs pointed to by
  g_CatalogList calling I_CheckImageHashInCatalog
  on each
• MinCryptK_FindPageHashesInCatalog
• Used by CI.DLL
• Checks code pages of process or driver at
  runtime.
• Binary searches for matching page hash in
  ntpe.cat nt5.cat

31
Patch Guard

• Can not be disabled
• Polls at 5-10 minute intervals to verify kernel
  structures are intact
• SSDT (System Service Descriptor Table)
• GDT (Global Descriptor Table)
• IDT (Interrupt Descriptor Table)
• System images (ntoskrnl.exe, ndis.sys, hal.dll)
• Processor MSRs (syscall)

32
Patch Guard (Implementation)

• Uses Obfuscation and Misdirection raise the bar
• Example
• Initialization
• nt!KiDivide6432 (What does it do?)
• Throws divide processor exception
• Patch Guard Initialization called in exception
  handler

33
Patch Guard (Implementation)

• Initialization
• Creates random key
• Creates random rotate number
• Picks a fake memory pool tag
• Initializes memory
• Zeroes it
• Fills it with structures
• Encrypts structures in memory

34
Patch Guard (Attacks)

• Exception Handler Hooking Verification relies
  on exceptions, hook the exception and turn it
  into a nop
• KeBugCheckEX Hook When called check if bug
  check code is 0x109 if so reset stack pointer
  and instruction pointer to the thread and carry
  on
• Finding the timer Find the timer event and
  remove it. Not reliable and not portable since it
  uses an unexported address
• Simulating Hotpatching Use the Hotpatch api to
  trick windows

35
Secure Bootup

• TPM Holds key used for full drive encryption
• Takes measurments of boot items such as ROM
  images and firmware images
• Special boot code in TPM decrypts the boot loader
• Boot loader asks for full drive encryption key
  from TPM
• Boots the same as detailed in Booting Vista

36
Disabled user-mode access to \Device\PhysicalMemor
y

• Started with Windows Server 2003 SP1
• Crazylord (p59-0x10) showed a method for
  detecting bios root kits using \Device\PhysicalMem
  ory

37
The End
38
Frame-Based Exception Handlers

• Every thread in a Win32 Process has at least one
  frame-based exception handler.
• A list of EXCEPTION_REGISTRATION structures can
  be found in the processs Thread Environment
  Block at FS 0
• Overwrite the exception handler with an address
  which will pop reg pop reg ret

39
Determining a valid handler

• Handler can not exist on the stack (determined by
  TEB FS4 FS8)
• Checked against loaded modules
• If the address exists outside of the bounds of
  these addresses it is ok to call?
• If the address exists inside these it is checked
  against registered handlers.
• Checks a value in the PE header if it is set to
  0x04 then the module is not allowed.
• Finally checks for a Load Configuration Directory
  if missing function returns 0 and no other checks
  are done and handler is executed

40
Exploiting Frame-Based Exception Handling (Window
2003 Server)

• Methods
• Exploit an existing handler that we can
  manipulate to get us back into our buffer
• Find a block of code in an address not associated
  with a module that will get us back to our buffer
• Find a block of code in the address space of a
  module that does not have a Load Configuration
  Directory

41
Exploiting an Existing Handler

• NTDLL contains several registered exception
  handlers
• Only works the first time since sensitive data is
  in predictable places
• 77F45A3F mov ebx,dword ptr ebp0Ch
• ..
• 77F45A61 mov esi, dword ptr ebx0Ch
• 77F45A64 mov edi, dword ptr ebx8
• ..
• 77F45A75 lea ecx, esiesi2
• 77F45A78 mov eax, dword ptr ediecx44
• ..
• 77F45A64 call eax

42
Finding and exploiting a block of code not
associated with a module

• Windows 2003 Server Enterprise edition contains
  such an address at 0x7FFC0AC5. (pop pop ret)
• Not usable since Standard addition does not have
  the same issue
• However we can use the address of our
  EXCEPTION_REGISTRATION struct in the form of a
  call or jump espsomevalue

43
Stack Protection and Windows 2003 Server

• Security Cookies
• Authoritative copy stored in the .data segment
• /GS Compiler Flag
• Reorders parameters
• Places overflowable buffers close to canary values

44
Heap Based Buffer Overflows

• Handle to Win32 Heap through GetProcessHeap() and
  through the PEB
• HeapAllocate Win32 version of brk and brk.
• Every heap starts with a struct and contains
  pointers to the previous and next blocks (similar
  to malloc).
• Use Exception Handlers to overwrite functions
  such as RtlAccquitePebLock() and
  RtlReleasePebLock() (Not Usable in Win2k3Server)

45
Heap Overflow Fun

• The PEB in a process is fixed across all WinNT
  Versions.
• Step1 Overflow heap to overwrite the PEB 4
  (Return address).
• Step2 Allow Program to segfault and terminate.
• Step3 Sit back and watch ExitProcess run your
  code for you.
• Make sure to set the pointer back or something
  else could kill your process if its used
  elsewhere in the code

46
Vectored Handlers

• Similar in structure to Frame based exception
  handlers.
• Stored on the heap instead of stack
• Executed before frame based handlers.

47
Overwritting Exception Filters

• Overwrite pointer to Unhandled Exception Filter.
• Windows exposes a function to do this
  SetUnhandledExceptionFilter().
• This function shows us where this Handler is
  stored.
• By replacing the address of the function this
  points to when an unhandled exception happens we
  gain control.

48
Other Aspects of Heap-Based Overflows

• COM Objects and the Heap
• COM Objects when instantiated are placed on the
  heap
• A vtable is created to store function pointers
  for an object and the object is stored above it
  in the address space
• If you overflow an object you can possibly
  overwrite the vtable of the object above you and
  redirect code execution.
• Overflowing Program Control Data
• We dont always want to execute arbitrary code
• Some times we just want to change data on the
  heap that controls the execution flow.
• Ex. Making a directory exposed by a web server
  writable so anyone can write to it.