Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007.

Slides:

Advertisements

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

Advertisements

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

CWE-732 Incorrect Permission Assignment for Critical Resource

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

Windows Vista Security model and vulnerabilities.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Introduction To Windows NT ® Server And Internet Information Server.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Web Server Administration Chapter 5 Managing a Server.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Cyber Patriot Training

Computer Security An overview of terms and key concepts.

The University of Akron Summit College Business Technology Dept.

Author: Bill Buchanan. Work Schedule Author: Bill Buchanan.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

MAC in Windows Vista Autor : Martin ONDRÁČEK, Product Director SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

SEC835 Practical aspects of security implementation Part 1.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Wireless and Mobile Security

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Privilege Management Chapter 22.

Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group

Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Securing Privileged Identities Joseph Dadzie, Principal PM Manager, Microsoft 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 James Cowling,

Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

Unit 4 – Network Threats and Vulnerabilities

TechEd /20/2018 7:32 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Protection and Security

Chapter 5 : Designing Windows Server-Level Security Processes

Introduction to SQL Server 2000 Security

Determined Human Adversaries: Mitigations

Nessus Vulnerability Scanning

Computer Security Distributed System Security

SECURITY IN THE LINUX OPERATING SYSTEM

OS Access Control Mauricio Sifontes.

Operating System Security

Determined Human Adversaries: Mitigations

Designing IIS Security (IIS – Internet Information Service)

Preventing Privilege Escalation

Presentation transcript:

Cracking Windows Access Control Andrey Kolishchak Hack.lu 2007

Outline Introduction into access control Windows access control weaknesses The demo Vista mandatory levels Exploiting mandatory levels Per-application access control

Discretional & Mandatory Access Control Discretional Access Control –Access policy that depends on a user –Access Control Lists (ACL) and capabilities Mandatory Access Control (MAC) –Access policy decreed by system

Windows Access Control (DAC) A controllable object has a list of assigned permissions (ACL), USER x OBJECT Object_AObject_B USER_1READWRITE USER_2EXECUTENONE USER_NREAD WRITE READ

Windows DAC Weaknesses, I Dependence on proper user authentication –Social engineering; –Stealing authentication information and keys; –Passwords brute-forcing and sniffing over the network; –Key-logging. –Etc.

Windows DAC Weaknesses, II Impersonation –Allows a server application to substitute its security identity by the identity of client –Elevation: server receives privileges of client –Attacks DOS + faked servers exposing RPC, named pipes, COM and other interfaces Vulnerable services All services are affected

Windows DAC Weaknesses, III Complexity of ACLs configuration –Weak permissions allow full access to Everyone, Users and Authenticated Users –Typical attack –Affected: Microsoft, Adobe, Macromedia, AOL, Novell, etc. –Accesschk.exe users -wsu "%programfiles%"

Windows DAC Weaknesses, IV Creator (owner) of object implicitly receives full permissions –Owner may write object’s ACL –Attacks Permissions revocation Code injection in the processes run by the same user (NetworkService, LocalService) –Addressed in Windows Vista Owner Rights SID Unique service SID (requires updated service)

Windows DAC Weaknesses, V Permissions cannot be assigned to all objects, e.g. –Network –Windows subsystem Shatter attacks SetWindowsHook –Keyloggers –code injection

The Demo

Interesting Facts NetworkService account is nearly the same as LocalSystem MS SQL service running as a unique user account can be elevated up to LocalSystem Any service’s context could be elevated to LocalSystem NetworkService account has permissions to sniff network traffic An intruder can conduct attacks without introducing additional executable files –CodeRed –Remote shell via FTP tunnel is just 20 lines VBS script

Mandatory Integrity Levels (IL), I Integrity Level is an ordered label that define trustworthy of running applications and objects –Low, Medium, High and System –Mapped to users Mandatory Policies restrict lower IL applications –No-Write-Up, No-Read-Up and No-Exec-Up

Mandatory Integrity Levels (IL), II User Interface Privilege Isolation (UIPI) IE Protected Mode –Iexplore.exe at Low, renders html –Ieuser.exe at Medium, broker for privileged operations

Exploiting Integrity Levels, I Medium IL assigned to all objects created at MI and above levels –all objects, such as files, are shared –No strict boundary between MI and above

Exploiting Integrity Levels, II Bypassing UIPI via automation applications –Restrictions UIAccess=”true” in the manifest Digital signature %ProgramFiles% or %WinDir% High or +16 IL –Attacks Side-by-side DLL injection in writable a %ProgramFiles% Medium = Medium

Exploiting Integrity Levels, III Vulnerable brokers –AppInfo’s handle leak bug found by Skywing (fix in SP1) Bypassing IE’s Protected Mode –Any RPC interface might be affected ILs are not enforced over the network No-Read-Up is not used for files in the default configuration –Low Integrity process may read files

Integrity Levels Limitations A strict security boundary enforced for Low Integrity processes The usage is limited –Configuration is restricted, requires re-design of applications –Capacity of Low Integrity pool is limited due to shared resources, e.g. An database accessible by browser

Per-Application Access Control New dimension in access control matrix, a process: PROCESS x USER x OBJECT –True least privileges –Over-complicated

Addressing The Complexity Application permissions repository –Centralized –Attached to applications, e.g. manifests Hiding part of permissions behind a mandatory model, such as –Windows Integrity Levels –Information-flow control –Role-based

Thank You! Questions?