lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <139148887.20060609120518@SECURITY.NNOV.RU>
Date: Fri Jun  9 09:05:31 2006
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Windows Software Restriction Policy Protection
	Bypass

Dear bugtraq@...urityfocus.com,

  It was reported anonymously with request to post to lists.

Windows Software Restriction Policy Protection Bypass

Author:          Anonymous
Class:           Restrictions bypass
Vector:          Local
Vendor:          Microsoft
Sofware:         Windows XP SP2, Windows Server 2003 SP1
Risk level:      Low

Remark:

I  don't  know,  what  is  it  -  bug  or  feature, but I can't find any
documentation on this issue.

Description:

Software  Restriction  Policies restrictions doesn't apply if user logon
via secondary logon service (Run As).

Test:

Create  new  SRP  policy  (in Local or Domain Level GPO, for User or for
Computer). Change security levels to Disallowed. Update policy and logon
as  restricted  user. Copy notepad to the desktop. Try to launch notepad
from  desktop (will fail). Right click on notepad, choose run as, select
"Following  users",  and type current user name and password. You'll see
launched notepad. CLI version (runas.exe) provides similar results.

Remark. 

Why ACLs are not workaround?
If user has ability to write (create files) in any folder (for example - profile, temporary internet
files, whatever) he (or she of cause) becomes the owner of created files. And even we revoke NTFS
execute permission on any writable folder, user can change permissions on files, because he (or she of
cause) is creator/owner for said file.

Example (user 'test' is not an administrator):

cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
                                    FILE_EXECUTE

                      BUILTIN\Users:(DENY)(Special access:)
                                    WRITE_DAC
                                    WRITE_OWNER

                      BUILTIN\Administrators:F
                      NT AUTHORITY\SYSTEM:F
                      WINXP01\test:F
                      BUILTIN\Users:R

C:\noexec>notepad.exe
Access denided.

C:\noexec>cacls.exe notepad.exe /G test:F
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F

C:\noexec>notepad.exe

Workaround:

Disable Secondary Logon service:

sc stop seclogon
sc config seclogon start= disabled

Timeline:

05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response

"Software  Restriction  Policy  and  Group  Policy  are  not meant to be
complete  security features...For full security, we recommend using ACLs
to protect the appropriate resources in your environment..."

09.06.06 - Public disclosure
  

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ