lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5B8A2EA055E743C680615EDB0C47C4A9@W340> Date: Thu, 27 Nov 2014 21:28:17 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: fulldisclosure@...lists.org Subject: [FD] Defense in depth -- the Microsoft way (part 22): no DEP in Windows' filesystem (and ASLR barely used) Hi @ll, more than 20 years ago Microsoft introduced the NTFS filesystem (supporting ACLs) and "user profiles" to separate user data (with emphasis on "data") from the OS and each other. More than 13 years ago Microsoft introduced "software restriction policies" alias SAFER (<https://support.microsoft.com/kb/310791>, <https://support.microsoft.com/kb/324036>, <https://technet.microsoft.com/library/bb457006.aspx>, <https://technet.microsoft.com/library/cc786941.aspx>, <https://technet.microsoft.com/library/cc507878.aspx>). JFTR: <http://csrc.nist.gov/itsec/SP800-68r1.pdf> <http://books.google.de/books?isbn=1437914926> <http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> <http://www.asd.gov.au/infosec/top35mitigationstrategies.htm> | At least 85% of the targeted cyber intrusions that the Australian ~~~~~~~~ | Signals Directorate (ASD) responds to could be prevented by | following the Top 4 mitigation strategies listed in our Strategies | to Mitigate Targeted Cyber Intrusions: | #1 use application whitelisting to help prevent malicious software | and unapproved programs from running ... More than 10 years ago Microsoft introduced "data execution prevention" alias DEP (<https://support.microsoft.com/kb/875352>, <https://support.microsoft.com/kb/899298>, <https://support.microsoft.com/kb/912923>, and <https://msdn.microsoft.com/library/aa366553.aspx>) and enabled it by default. JFTR: <http://www.av-test.org/en/news/news-single-view/self-protection-for-antivirus-software/> Where Windows "self protection" right now? Even today all (data) files created in the user's profiles, the "%ProgramData%" directory as well as almost all other "data" directories too are still "executable": the NTFS-ACLs of all these directories which are inherited by files and subdirectories created within them include "execution" permission! And SAFER is still not enabled by default. The immediate benefit of an NTFS-ACL without "execution" permission or the default SAFER ruleset is: no (unintended) execution of files like invoice.pdf.exe etc. stored in "data" directories, so spreading malware to Windows would become utterly useless. If you want to try "DEP in the filesystem" for yourself: * add an NTFS-ACE (D;OIIO;WP;;;WD) meaning "Deny execution of files for everyone, inheritable to all files in all subdirectories" for your own %USERPROFILE% directory (or all of them plus %ProgramData% if you have administrative rights). JFTR: "Deny" ACEs take precedence over "Allow" ACEs. * enable the default SAFER ruleset which allows execution (of *.exe) only in %SystemRoot%\ and %SystemRoot%\System32\ and any executable file in %ProgramFiles%\ and below. For x64 you'll have to add rules for %SystemRoot%\SysWoW64\*.exe and %SystemRoot%\Sysnative\*.exe as well as %ProgramFiles(x86)%\ Cf. <http://mechbgon.com/srp/> for instructions, or use the scripts <http://home.arcor.de/skanthak/download/XP_SAFER.INF> for Windows XP (including embedded versions) and Server 2003 resp. <http://home.arcor.de/skanthak/download/NT6_SAFER.INF> for Windows Vista, 7 and 8 as well as Server 2008 [R2] Then open the SPAM folder of your mail client, get one of the many "invoice.pdf.exe" your anti-virus fails to detect and "open" it. regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists