Message-ID: <5B8A2EA055E743C680615EDB0C47C4A9@W340>
Date: Thu, 27 Nov 2014 21:28:17 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 22): no DEP in
	Windows' filesystem (and ASLR barely used)

Hi @ll,

more than 20 years ago Microsoft introduced the NTFS filesystem
(supporting ACLs) and "user profiles" to separate user data
(with emphasis on "data") from the OS and each other.


More than 13 years ago Microsoft introduced "software restriction
policies" alias SAFER (<https://support.microsoft.com/kb/310791>,
<https://support.microsoft.com/kb/324036>,
<https://technet.microsoft.com/library/bb457006.aspx>,
<https://technet.microsoft.com/library/cc786941.aspx>,
<https://technet.microsoft.com/library/cc507878.aspx>).

JFTR: <http://csrc.nist.gov/itsec/SP800-68r1.pdf>
      <http://books.google.de/books?isbn=1437914926>
      <http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>

      <http://www.asd.gov.au/infosec/top35mitigationstrategies.htm>

      | At least 85% of the targeted cyber intrusions that the Australian
                            ~~~~~~~~
      | Signals Directorate (ASD) responds to could be prevented by
      | following the Top 4 mitigation strategies listed in our Strategies
      | to Mitigate Targeted Cyber Intrusions:
      | #1 use application whitelisting to help prevent malicious software
      |    and unapproved programs from running
      ...


More than 10 years ago Microsoft introduced "data execution prevention"
alias DEP (<https://support.microsoft.com/kb/875352>,
<https://support.microsoft.com/kb/899298>,
<https://support.microsoft.com/kb/912923>,
and <https://msdn.microsoft.com/library/aa366553.aspx>) and enabled it
by default.

JFTR: <http://www.av-test.org/en/news/news-single-view/self-protection-for-antivirus-software/>


Where Windows "self protection" right now?


Even today all (data) files created in the user's profiles, the
"%ProgramData%" directory as well as almost all other "data"
directories too are still "executable": the NTFS-ACLs of all these
directories which are inherited by files and subdirectories created
within them include "execution" permission!

And SAFER is still not enabled by default.


The immediate benefit of an NTFS-ACL without "execution" permission
or the default SAFER ruleset is: no (unintended) execution of files
like invoice.pdf.exe etc. stored in "data" directories, so spreading
malware to Windows would become utterly useless.


If you want to try "DEP in the filesystem" for yourself:

* add an NTFS-ACE (D;OIIO;WP;;;WD) meaning "Deny execution of files
  for everyone, inheritable to all files in all subdirectories" for
  your own %USERPROFILE% directory (or all of them plus %ProgramData%
  if you have administrative rights).

  JFTR: "Deny" ACEs take precedence over "Allow" ACEs.


* enable the default SAFER ruleset which allows execution (of *.exe)
  only in %SystemRoot%\ and %SystemRoot%\System32\ and any executable
  file in %ProgramFiles%\ and below.
  For x64 you'll have to add rules for %SystemRoot%\SysWoW64\*.exe
  and %SystemRoot%\Sysnative\*.exe as well as %ProgramFiles(x86)%\

  Cf. <http://mechbgon.com/srp/> for instructions, or use the
  scripts <http://home.arcor.de/skanthak/download/XP_SAFER.INF>
  for Windows XP (including embedded versions) and Server 2003
  resp. <http://home.arcor.de/skanthak/download/NT6_SAFER.INF>
  for Windows Vista, 7 and 8 as well as Server 2008 [R2]


Then open the SPAM folder of your mail client, get one of the many
"invoice.pdf.exe" your anti-virus fails to detect and "open" it.


regards
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists