[security-alerts] Windows Software Restriction Policy Protection Bypass

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

íÎÅ ÐÏÎÒÁ×ÉÌÓÑ ÏÔ×ÅÔ M$ ;-)


http://www.security.nnov.ru/Ndocument38.html
----------------------
Windows Software Restriction Policy Protection Bypass

Class: Protection bypass
Vector: Local
Tested on: Windows XP SP2, Windows Server 2003 SP1
Risk: Low

Remark:
I don't know, what is it - bug or feature, but I can't find any documentation 
on this issue.

Description:
Software Restriction Policies restrictions doesn't apply if user logon via 
secondary logon service
(Run As).

Test:

Create new SRP policy (in Local or Domain Level GPO, for User or for Computer). 
Change security levels
to Disallowed. Update policy and logon as restricted user. Copy notepad to the 
desktop. Try to launch
notepad from desktop (will fail). Right click on notepad, choose run as, select 
"Following users", and
type current user name and password. You'll see launched notepad. CLI version 
(runas.exe) provides
similar results.

Remark.

Why ACLs doesn't help?
If user has ability to write (create files) in any folder (for example - 
profile, temporary internet
files, whatever) he (or she of cause) becomes the owner of created files. And 
even we revoke NTFS
execute permission on any writable folder, user can change permissions on 
files, because he (or she of
cause) he is creator/owner.

Example (test is not an administrator):

cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
                                   FILE_EXECUTE

                     BUILTIN\Users:(DENY)(Special access:)
                                   WRITE_DAC
                                   WRITE_OWNER

                     BUILTIN\Administrators:F
                     NT AUTHORITY\SYSTEM:F
                     WINXP01\test:F
                     BUILTIN\Users:R

C:\noexec>notepad.exe
Access denided.

C:\noexec>cacls.exe notepad.exe /G test:F
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F

C:\noexec>notepad.exe

Workaround:

Disable Secondary Logon service:

sc stop seclogon
sc config seclogon start= disabled

Timeline:

05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response

"Software Restriction Policy and Group Policy are not meant to be complete 
security features...For
full security, we recommend using ACLs to protect the appropriate resources in 
your environment..."

09.06.06 - Public disclosure

 
èïóôéîç: ÆÉÒÍÁ "óåîäé"  õÓÌÏ×ÉÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ
¿ 3APA3A, ÷ÌÁÄÉÍÉÒ äÕÂÒÏ×ÉÎ