Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007.

Published byLambert Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007."— Presentation transcript:

1 Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007

2 Outline Introduction into access control Windows access control weaknesses The demo Vista mandatory levels Exploiting mandatory levels Per-application access control

3 Discretional & Mandatory Access Control Discretional Access Control –Access policy that depends on a user –Access Control Lists (ACL) and capabilities Mandatory Access Control (MAC) –Access policy decreed by system

4 Windows Access Control (DAC) A controllable object has a list of assigned permissions (ACL), USER x OBJECT Object_AObject_B USER_1READWRITE USER_2EXECUTENONE USER_NREAD WRITE READ

5 Windows DAC Weaknesses, I Dependence on proper user authentication –Social engineering; –Stealing authentication information and keys; –Passwords brute-forcing and sniffing over the network; –Key-logging. –Etc.

6 Windows DAC Weaknesses, II Impersonation –Allows a server application to substitute its security identity by the identity of client –Elevation: server receives privileges of client –Attacks DOS + faked servers exposing RPC, named pipes, COM and other interfaces Vulnerable services All services are affected

7 Windows DAC Weaknesses, III Complexity of ACLs configuration –Weak permissions allow full access to Everyone, Users and Authenticated Users –Typical attack –Affected: Microsoft, Adobe, Macromedia, AOL, Novell, etc. –Accesschk.exe users -wsu "%programfiles%"

8 Windows DAC Weaknesses, IV Creator (owner) of object implicitly receives full permissions –Owner may write object’s ACL –Attacks Permissions revocation Code injection in the processes run by the same user (NetworkService, LocalService) –Addressed in Windows Vista Owner Rights SID Unique service SID (requires updated service)

9 Windows DAC Weaknesses, V Permissions cannot be assigned to all objects, e.g. –Network –Windows subsystem Shatter attacks SetWindowsHook –Keyloggers –code injection

10 The Demo

11 Interesting Facts NetworkService account is nearly the same as LocalSystem MS SQL service running as a unique user account can be elevated up to LocalSystem Any service’s context could be elevated to LocalSystem NetworkService account has permissions to sniff network traffic An intruder can conduct attacks without introducing additional executable files –CodeRed –Remote shell via FTP tunnel is just 20 lines VBS script

12 Mandatory Integrity Levels (IL), I Integrity Level is an ordered label that define trustworthy of running applications and objects –Low, Medium, High and System –Mapped to users Mandatory Policies restrict lower IL applications –No-Write-Up, No-Read-Up and No-Exec-Up

13 Mandatory Integrity Levels (IL), II User Interface Privilege Isolation (UIPI) IE Protected Mode –Iexplore.exe at Low, renders html –Ieuser.exe at Medium, broker for privileged operations

14 Exploiting Integrity Levels, I Medium IL assigned to all objects created at MI and above levels –all objects, such as files, are shared –No strict boundary between MI and above

15 Exploiting Integrity Levels, II Bypassing UIPI via automation applications –Restrictions UIAccess=”true” in the manifest Digital signature %ProgramFiles% or %WinDir% High or +16 IL –Attacks Side-by-side DLL injection in writable a %ProgramFiles% Medium-16+16 = Medium

16 Exploiting Integrity Levels, III Vulnerable brokers –AppInfo’s handle leak bug found by Skywing (fix in SP1) Bypassing IE’s Protected Mode –Any RPC interface might be affected ILs are not enforced over the network No-Read-Up is not used for files in the default configuration –Low Integrity process may read files

17 Integrity Levels Limitations A strict security boundary enforced for Low Integrity processes The usage is limited –Configuration is restricted, requires re-design of applications –Capacity of Low Integrity pool is limited due to shared resources, e.g. An e-mail database accessible by browser

18 Per-Application Access Control New dimension in access control matrix, a process: PROCESS x USER x OBJECT –True least privileges –Over-complicated

19 Addressing The Complexity Application permissions repository –Centralized –Attached to applications, e.g. manifests Hiding part of permissions behind a mandatory model, such as –Windows Integrity Levels –Information-flow control –Role-based

20 Thank You! Questions?

Download ppt "Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 Incorrect Permission Assignment for Critical Resource
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Web Server Administration Chapter 5 Managing a Server.

Web Server Administration Chapter 5 Managing a Server.

Similar presentations

Ads by Google