Reading your way around UAC

Transcription

1 Reading your way around UAC Abusing Access Tokens for UAC Bypasses James

2 What I m Going to Talk About Why Admin-Approval UAC is even worse than you thought! Why Over-the-Shoulder UAC is still worse than you thought!

3 UAC Architecture AppInfo Service Limited User Logon Session Authentication-ID = A-B Application RPC Elevated User Logon Session Authentication-ID = X-Y

4 UAC Architecture AppInfo Service Limited User Logon Session Authentication-ID = A-B Application ShellExecute runas RPC Elevated User Logon Session Authentication-ID = X-Y

5 UAC Architecture AppInfo Service Limited User Logon Session Authentication-ID = A-B RPC Application ShellExecute runas consent.exe Elevated User Logon Session Authentication-ID = X-Y

6 UAC Architecture AppInfo Service Limited User Logon Session Authentication-ID = A-B RPC Elevated User Logon Session Authentication-ID = X-Y Application ShellExecute runas Application

7 Linked Tokens

8 Linked Tokens

9 Deny-Only Groups Link

10 Also Fewer Privileges Link

11 The Problem with UAC Limited User Logon Session Authentication-ID = A-B Non-Admin Application Current User Registry Hive User Profile Directory Desktop and Kernel Objects Elevated User Logon Session Authentication-ID = X-Y Admin Application

12 The Problem with UAC Limited User Logon Session Authentication-ID = A-B Non-Admin Application Current User Registry Hive User Profile Directory Desktop and Kernel Objects Elevated User Logon Session Authentication-ID = X-Y Admin Application

13 Kernel Object Login Sid Non-Admin Token Groups Admin Token DACL

14 NtUserGetClipboardToken Win32k Wr ite to C lip b oa rd Kernel UAC Admin Process Captured Token Non-Admin Process

15 NtUserGetClipboardToken Kernel erg Us Nt Win32k lip etc n ke To ard bo Captured Token UAC Admin Process Non-Admin Process

16 NtUserGetClipboardToken Kernel Win32k Captured Token Op en e df UAC Admin Process or rea d Non-Admin Process

17 Clipboard Token Read-only access

18 Creating a New Process Parent Token Sibling Token Process Token Token ID OR Equal Parent Token ID Assigned Token Process Token Parent Token ID Equal Assigned Token Parent Token ID Equal Auth ID Auth ID

19 Creating a New Process Parent Token Sibling Token Process Token Token ID OR Equal Parent Token ID Assigned Token Process Token Parent Token ID Equal Assigned Token Parent Token ID Equal Auth ID Auth ID

20 Impersonating a Token Token Level == Identification ALLOWED Process has Impersonate Privilege Process IL >= Token IL Process User == Token User Restrict to Identification Level

21 Impersonating a Token Token Level == Identification ALLOWED Process has Impersonate Privilege Process IL >= Token IL Process User == Token User Restrict to Identification Level

22 Impersonating a Token Token Level == Identification ALLOWED Process has Impersonate Privilege Process IL >= Token IL Process User == Token User Restrict to Identification Level

23 Impersonating a Token Token Level == Identification ALLOWED Process has Impersonate Privilege Process IL < Token IL Process User == Token User Restrict to Identification Level

24 Reduce the Integrity Level

25 Reduce the Integrity Level

26 Impersonating a Token Token Level == Identification ALLOWED Process has Impersonate Privilege Process IL >= Token IL Process User == Token User Restrict to Identification Level

27 High IL!= Administrator Create and modify files in system locations Create and modify system services Open >= high IL processes for R/W Interact with >= high IL Windows (UIPI)

28 No God Privileges The following are not allowed to be enabled for a Medium IL token. Privilege Possible Privileged Operations SeCreateTokenPrivilege Create new token objects SeTcbPrivilege Many and varied privileged operations SeLoadDriverPrivilege Load a driver into the kernel SeDebugPrivilege Bypass process/thread security checks SeBackupPrivilege Bypass file/key security checks for read SeRestorePrivilege Bypass file/key security checks for write SeImpersonatePrivilege Impersonate arbitrary users

29 Stealing Tokens

30 OpenProcessToken We only have Query Limited Information

31 Only Limited Information?

32 Start an Elevated Process? Standard auto-elevation of specific MS binaries.

33 Scheduled Tasks If set will spawn elevated process with no UAC prompt.

34 DEMO

35 Changes in Windows 10 Token Level == Identification Process has Impersonate Privilege Process IL >= Token IL Capability Check Process User == Token User Elevation Check ALLOWED Restrict to Identification Level

36 Elevation Checks if (SeTokenIsElevated(ImpersonationToken)) { if (!SeTokenIsElevated(ProcessToken) ProcessToken->LogonSession->Flags.UacSession) { return STATUS_PRIVILEGE_NOT_HELD; } } // Continue with impersonation check.

37 What Makes a Token Elevated? Has God privileges or certain elevated groups BOOLEAN RtlIsElevatedRid(SID_AND_ATTRIBUTES *sid_and_attr) { DWORD last_rid = GetLastRid(sid_and_attr->Sid); DWORD check_rids[] = { 512, 544,... }; for(int i = 0; i < countof(check_rids); ++i) { if (check_rids[i] == last_rid) { return TRUE; } } For example: return FALSE; BUILTIN\Administrators == S }

38 Use NtFilterToken

39 Use Non-God Privileges Privilege Possible Privileged Operations SeCreateGlobalPrivilege Create new sections in global BNO directory SeCreatePageFilePrivilege Create or modify page/hibernation files SeCreateSymbolicLinkPrivilege Create arbitrary NTFS symbolic links SeManageVolumePrivilege Mount/Unmount volumes including VHDs SeSecurityPrivilege Modify SACL entries SeSystemEnvironmentPrivilege Modify UEFI boot variables

40 Bouncing to Elevated Session WMI Limited User Logon Session Authentication-ID = A-B Flags = UacSession Win32_Process Elevated User Logon Session Authentication-ID = X-Y Flags = None Application Impersonate Non-Admin Token Non-Admin Application Impersonate Admin Token

41 DEMO

42 LogonUser New Credentials LSASS Limited User Logon Session Authentication-ID = A-B LogonUser Elevated User Logon Session Authentication-ID = X-Y Application Impersonate Non-Elevated Token Elevated Token // Clone token with new credentials. LogonUser("Badger", "Badger", "Badger", LOGON32_LOGON_NEW_CREDENTIALS, &Token); Admin Token

43 Abuse Secondary Logon ImpersonateLoggedOnUser(hNonElevatedToken); CreateProcessWithLogonW( "Badger", "Badger", "Badger", Equivalent to LOGON_NETCREDENTIALS_ONLY NULL, L"cmd.exe", &proc_info); LOGON32_LOGON_NEW_CREDENTIALS

44 DEMO

45 Over-The-Shoulder Elevation

46 Separation of Resources Normal User Logon Session Authentication-ID = A-B Normal User Registry Hive Admin User Registry Hive User Profile Directory Admin Profile Directory Non-Admin Application Elevated User Logon Session Authentication-ID = X-Y Admin Application Desktop and Kernel Objects

47 Impersonating an OTS Token Token Level == Identification ALLOWED Process has Impersonate Privilege Process IL >= Token IL Process User == Token User Restrict to Identification Level

48 Impersonating an OTS Token Token Level == Identification Process has Impersonate Privilege Process IL >= Token IL Capability Check Process User == Token User ALLOWED Restrict to Identification Level

49 Capability Check BOOLEAN SepIsImpersonationAllowedDueToCapability(PTOKEN token, PTOKEN imp_token) { if ((token->sessionid!= imp_token->sessionid) Tokens must be in (token->tokenflags & TOKEN_FLAGS_LOWBOX) == 0) same Session and (imp_token->tokenflags & TOKEN_FLAGS_LOWBOX) == 0)) { both be LowBox. return FALSE; } if (!SepSidInTokenSidHash(&token->CapabilitiesHash, SeConstrainedImpersonationCapabilitySid)!SepCheckCapabilities(token, imp_token->capabilities)!rtlequalsid(token->package, imp_token->package)) { return FALSE; } return TRUE; } Process token must have impersonation capability, and be in same package.

50 Enterprise Authentication

51 DEMO

52 Is Anything Safe? Hit CTRL+ALT+DEL and click

53 Conclusions Admin-Approval UAC is broken Over-the-sholder UAC is pretty broken on Windows 10 Best chance you have is fast-user switching Don t switch using Explorer, always use the secure attention sequence

54 Thanks Any Questions?