Comments on: Quickpost: SAFER and Malicious Documents

By: Didier Stevens

Didier Stevens — Sun, 20 Jun 2010 18:52:09 +0000

@dlimanov SAFER makes the programs run with a restricted token, one of the implications of this restricted token is that you’re not a member of the local administrators anymore. This denies you the right to write to system32 (and other ACL-protected directories as well, like Windows).

By: dlimanov

dlimanov — Mon, 14 Jun 2010 17:27:55 +0000

Does SAFER prevent restricted applications from writing to \system32 only, or is there anything else that is restricted behind the scenes? Is it possible to extend protection to \windows directory as well?

By: Drewfus

Drewfus — Wed, 05 May 2010 12:49:12 +0000

Thanks Didier.

By: Didier Stevens

Didier Stevens — Wed, 05 May 2010 10:44:00 +0000

@Drewfus Yes, these are equivalent

By: Drewfus

Drewfus — Wed, 05 May 2010 00:30:11 +0000

Didier, Safer and StripMyRights.exe have differing terminology for their respective token levels. Can you tell me if the table below is correct, in terms of equivalent meanings?

Safer          StripMyRights   Group
---------------------------------------------
Disallowed    
Untrusted      Untrusted
Restricted     Constrained
Basic User     Normal          Users
Unrestricted                   Administrators

By: karthik

karthik — Mon, 28 Sep 2009 23:53:21 +0000

I see your point, agreed that AD GPO’s is much elegant solution. I generally launch (just configure short cuts once) my email client, browser, IM client (basically all that connect to internet) with stripped down privileges, so all their child processes also gets privileges stripped.
and I dont like windows explorer, its crappy and heavy. i use blackbox shell instead.

your posts are very helpful, i enjoy reading it. thanks.

By: Didier Stevens

Didier Stevens — Mon, 28 Sep 2009 21:36:07 +0000

@karthik

We want to restrict the token of the process which ever way the application is launched. For malicious documents, the “reader application” can be started in many different ways:
1) Double-clicking the document in Windows Explorer.
2) Opening the document in your browser
3) opening the document in your e-mail client
…

For every of these cases, you want the application to run with restricted rights. So psexec is a solution, if you can configure your system to execute psexec for all of these different cases.

That’s why I talked about StripMyRights and the Image Execution registry entry. Because that’s one of the methods to make sure StripMyRights will proxy your application. Have you tested psexec with the Image Execution method? If it supports it, you can use it in stead of StripMyRights.

SAFER offers the advantage that you don’t need a proxy application to start the vulnerable application, and that it can be deployed with AD.

By: karthik

karthik — Mon, 28 Sep 2009 21:24:00 +0000

why not run using psexec utility from sysinternals like, “psexec.exe -l -d “