Breaking Windows Access Control.

Uploaded on:
Category: Sports / Games
Splitting Windows Access Control Andrey Kolishchak 2007 Blueprint Presentation into access control Windows access control shortcomings The demo Vista obligatory levels Abusing compulsory levels Per-application access control
Slide 1

Breaking Windows Access Control Andrey Kolishchak 2007

Slide 2

Outline Introduction into access control Windows access control shortcomings The demo Vista compulsory levels Exploiting obligatory levels Per-application access control

Slide 3

Discretional & Mandatory Access Control Discretional Access Control Access strategy that relies on upon a client Access Control Lists (ACL) and abilities Mandatory Access Control (MAC) Access arrangement declared by framework

Slide 4

Windows Access Control (DAC) A controllable item has a rundown of doled out authorizations (ACL), USER x OBJECT

Slide 5

Windows DAC Weaknesses, I Dependence on legitimate client validation Social designing; Stealing confirmation data and keys; Passwords animal compelling and sniffing over the system; Key-logging . And so on

Slide 6

Windows DAC Weaknesses, II Impersonation Allows a server application to substitute its security character by the personality of customer Elevation: server gets benefits of customer Attacks DOS + faked servers uncovering RPC, named channels, COM and different interfaces Vulnerable administrations All administrations are influenced

Slide 7

Windows DAC Weaknesses, III Complexity of ACLs arrangement Weak consents permit full access to Everyone, Users and Authenticated Users Typical assault Affected: Microsoft, Adobe, Macromedia, AOL, Novell, and so on. Accesschk.exe clients - wsu "% programfiles %"

Slide 8

Windows DAC Weaknesses, IV Creator (proprietor) of article certainly gets full consents Owner may compose object’s ACL Attacks Permissions renouncement Code infusion in the procedures keep running by the same client ( NetworkService , LocalService ) Addressed in Windows Vista Owner Rights SID Unique administration SID (obliges overhauled administration)

Slide 9

Windows DAC Weaknesses, V P ermissions can\'t be appointed to all items, e.g. System Windows subsystem Shatter assaults SetWindowsHook Keyloggers code infusion

Slide 10

The Demo

Slide 11

Interesting Facts NetworkService record is about the same as LocalSystem MS SQL administration running as an one of a kind client record can be lifted up to LocalSystem Any service’s setting could be hoisted to LocalSystem NetworkService record has consents to sniff system activity An interloper can direct assaults without presenting extra executable documents CodeRed Remote shell by means of FTP passage is only 20 lines VBS script

Slide 12

Mandatory Integrity Levels (IL), I Integrity Level is a requested mark that characterize reliable of running applications and protests Low, Medium, High and System Mapped to clients Mandatory Policies confine lower IL applications No-Write-Up, No-Read-Up and No-Exec-Up

Slide 13

Mandatory Integrity Levels (IL), II User Interface Privilege Isolation (UIPI) IE Protected Mode Iexplore.exe at Low, renders html Ieuser.exe at Medium, intermediary for advantaged operations

Slide 14

Exploiting Integrity Levels, I Medium IL relegated to all articles made at MI or more levels all items, for example, documents, are shared No strict limit in the middle of MI or more

Slide 15

Exploiting Integrity Levels, II Bypassing UIPI through computerization applications Restrictions UIAccess =”true ” in the show Digital mark % ProgramFiles % or % WinDir % High or +16 IL Attacks Side-by-side DLL infusion in writable a % ProgramFiles % Medium-16+16 = Medium

Slide 16

Exploiting Integrity Levels, III Vulnerable agents AppInfo’s handle hole bug found by Skywing (fix in SP1) Bypassing IE’s Protected Mode Any RPC interface may be influenced ILs are not authorized over the system No-Read-Up is not utilized for documents as a part of the default arrangement Low Integrity procedure may read records

Slide 17

Integrity Levels Limitations A strict security limit upheld for Low Integrity forms The utilization is constrained Configuration is confined, obliges re-outline of uses Capacity of Low Integrity pool is restricted because of shared assets, e.g. An email database open by program

Slide 18

Per-Application Access Control New measurement in access control framework, a procedure: PROCESS x USER x OBJECT True slightest benefits Over-convoluted

Slide 19

Addressing The Complexity Application consents storehouse Centralized Attached to applications, e.g. shows Hiding piece of consents behind an obligatory model, for example, Windows Integrity Levels Information-stream control Role-based

Slide 20

Thank You! Questions? .:tslides

View more...