Didier Stevens

Monday 28 September 2009

Quickpost: SAFER and Malicious Documents

Filed under: My Software,Quickpost — Didier Stevens @ 17:50

I wasn’t going to mention SAFER to restrict the rights of an application, because Software Restriction Policies can be bypassed. But a Tweet by Edi Strosar made me review my viewpoint. In this particular case, bypassing SRP is a non-issue, because the user is already local admin!

Software Restriction Policies allow you to force specific applications to run with a restricted token. As Michael explained it with AD GPOs, I’ll show it with local policies.

Enable SAFER policies for SRPs by adding DWORD registry key Levels (value 0x31000) to HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers:

20090928-184852

Start the Local Security Policy administration tool and go to the Software Restriction Policies. You’ll have to create new policies if this is the first time you configure SRPs.

20090928-180154

Create a new rule in Additional Rules. We’ll identify the application to restrict by its path and name, so create a Path Rule:

20090928-185739

For the security level, select Basic User:

20090928-184938

If you have no Basic User option, you forgot to update the registry before launching the administration tool:

20090928-184657

Select the application to restrict:

20090928-185830

This rule will force Adobe Reader to run with a restricted token:

20090928-180534

Writing to SYSTEM32 is denied:

20090928-180742


Quickpost info


8 Comments »

  1. why not run using psexec utility from sysinternals like, “psexec.exe -l -d “

    Comment by karthik — Monday 28 September 2009 @ 21:24

  2. @karthik

    We want to restrict the token of the process which ever way the application is launched. For malicious documents, the “reader application” can be started in many different ways:
    1) Double-clicking the document in Windows Explorer.
    2) Opening the document in your browser
    3) opening the document in your e-mail client

    For every of these cases, you want the application to run with restricted rights. So psexec is a solution, if you can configure your system to execute psexec for all of these different cases.

    That’s why I talked about StripMyRights and the Image Execution registry entry. Because that’s one of the methods to make sure StripMyRights will proxy your application. Have you tested psexec with the Image Execution method? If it supports it, you can use it in stead of StripMyRights.

    SAFER offers the advantage that you don’t need a proxy application to start the vulnerable application, and that it can be deployed with AD.

    Comment by Didier Stevens — Monday 28 September 2009 @ 21:36

  3. I see your point, agreed that AD GPO’s is much elegant solution. I generally launch (just configure short cuts once) my email client, browser, IM client (basically all that connect to internet) with stripped down privileges, so all their child processes also gets privileges stripped.
    and I dont like windows explorer, its crappy and heavy. i use blackbox shell instead. ;-)

    your posts are very helpful, i enjoy reading it. thanks.

    Comment by karthik — Monday 28 September 2009 @ 23:53

  4. Didier,
    Safer and StripMyRights.exe have differing terminology for their respective token levels. Can you tell me if the table below is correct, in terms of equivalent meanings?

    Safer          StripMyRights   Group
    ---------------------------------------------
    Disallowed    
    Untrusted      Untrusted
    Restricted     Constrained
    Basic User     Normal          Users
    Unrestricted                   Administrators
    

    Comment by Drewfus — Wednesday 5 May 2010 @ 0:30

  5. @Drewfus Yes, these are equivalent

    Comment by Didier Stevens — Wednesday 5 May 2010 @ 10:44

  6. Thanks Didier.

    Comment by Drewfus — Wednesday 5 May 2010 @ 12:49

  7. Does SAFER prevent restricted applications from writing to \system32 only, or is there anything else that is restricted behind the scenes? Is it possible to extend protection to \windows directory as well?

    Comment by dlimanov — Monday 14 June 2010 @ 17:27

  8. @dlimanov SAFER makes the programs run with a restricted token, one of the implications of this restricted token is that you’re not a member of the local administrators anymore. This denies you the right to write to system32 (and other ACL-protected directories as well, like Windows).

    Comment by Didier Stevens — Sunday 20 June 2010 @ 18:52


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: