Didier Stevens

Tuesday 7 September 2010

Integrity Levels and DLL Injection

Filed under: bpmtk,Windows 7,Windows Vista — Didier Stevens @ 0:53

Microsoft introduced a new kernel security feature with Windows Vista: Integrity Levels. Each process has an integrity level: Low, Medium, High or System. A process with a lower integrity level can’t write to an object with a higher integrity level.

For processes, this means that a process with low integrity level can’t open a handle with full access to a process with medium integrity level. This is what I’ll show in this post: a process with low integrity level can’t inject a DLL in a process with medium (or higher) integrity level.

Normal, non-elevated processes run with medium integrity level by default. Here I inject a DLL into notepad.exe with my bpmtk utility:

The integrity level of the cmd.exe process is medium, and therefor the integrity level of bpmtk.exe (launched by cmd.exe) is also medium. Because the integrity level of the notepad.exe process is also medium, the DLL injection succeeds.

To help you identify the integrity level of processes on your machine, you can add an integrity level column to process explorer:

Now we’ll do the same DLL injection from a cmd.exe and bpmtk.exe process with low integrity level.

The icacls.exe utility can be used to view and set integrity levels. Because I don’t want to change the integrity level of the original cmd.exe, I’m making a copy of cmd.exe: cmd-low-il.exe. Cmd-low-il.exe has no explicit integrity level:

When we set an explicit integrity level (low) on cmd-low-il.exe with icacls.exe, cmd-low-il.exe will run with low integrity level in stead of medium. And every program started by this cmd-low-il.exe process will also run with low integrity level.

You need admin right to assign a low integrity level to cmd-low-il.exe:

Here you can see the low integrity level setting:

When we start cmd-il-low.exe, it will run with low integrity level. Executing bpmtk.exe from cmd-il-low.exe will force bpmtk.exe to run with low integrity level. bpmtk.exe fails to inject the DLL. When bpmtk.exe tries to open a handle with full access to notepad.exe, the call to OpenProcess fails with access denied. Notepad.exe runs with medium integrity level, and bpmtk.exe running with low integrity level has no right to open a handle to modify the notepad.exe process.

Integrity Levels look like a good security feature to sandbox vulnerable, Internet facing applications. But there are issues I’ll highlight in an upcoming post.

13 Comments »

  1. Where Can I download this “bpmtk utility” ?

    Comment by Andro — Tuesday 7 September 2010 @ 8:30

  2. @Andro If you go through the posts I linked too, you’ll find downloads.
    Here is a link: http://www.didierstevens.com/files/software/bpmtk_V0_1_6_0.zip

    Comment by Didier Stevens — Tuesday 7 September 2010 @ 10:06

  3. Let me see if I understand this. Basically, you’re opening a handle on the chosen process token and modifying its integrity level, right?

    And another question. Does UAC warn you about this? This is with UAC activated, of course.

    Comment by Manu — Tuesday 7 September 2010 @ 14:23

  4. @Manu No, I don’t modify the integrity level of the “attacked” process, that’s what the kernel has to prevent.
    UAC is activated, and you get no warning, because I don’t try to elevate.

    Comment by Didier Stevens — Tuesday 7 September 2010 @ 14:55

  5. Hi guys!
    From Windows Vista and later versions, there are exists six possible integrity levels. There are from Highest to lowest.

    Trusted Installer
    System (operating system processes)
    High (administrators)
    Medium (non-administrators)
    Low (temporary Internet files)
    Untrusted

    From icacls is not possible (I don`t know) to change the others IL.
    Mark Minasi have a great tool to change IL in folders and files called chml.
    http://www.minasi.com/apps/
    http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx

    Comment by silverhack — Thursday 9 September 2010 @ 10:07

  6. @silverhack Mark’s tool is great, and he’s a great speaker too. His tool has more IL features than icacls, but icacls is installed with Windows.

    Comment by Didier Stevens — Thursday 9 September 2010 @ 16:16

  7. Hey Didier! Thanks a lot for posting so many useful articles one after another!

    Keep it up, man! Videos, notes, tools… what else can we expect? Yes, something else: we are waiting you to release a book! :)

    Thanks!

    Comment by MagicMac — Friday 10 September 2010 @ 17:47

  8. [...] Integrity Levels and DLL Injection – didierstevens.com For processes, this means that a process with low integrity level can’t open a handle with full access to a process with medium integrity level. [...]

    Pingback by Week 36 in Review – 2010 | Infosec Events — Monday 13 September 2010 @ 3:51

  9. [...] to read @ Didier’s Site. October 9, 2010 – 12:38 pm | By NaorP | Posted in Microsoft, Security | Comments (0) [...]

    Pingback by Integrity Levels and DLL Injection | HitIT — Saturday 9 October 2010 @ 10:36

  10. [...] Level is done by setting the appropriate ACE in the DACL of the application executable, see my post Integrity Levels and DLL Injection for [...]

    Pingback by PDF, DEP, ASLR and Integrity Levels « Didier Stevens — Monday 11 October 2010 @ 8:41

  11. [...] benefit the most of Adobe Reader’s sandbox, you need to use a Windows version that supports integrity levels (Windows Vista or later). Windows XP will not offer you this [...]

    Pingback by Quickpost: Adobe Reader X « Didier Stevens — Friday 19 November 2010 @ 18:03

  12. Are you going to post further details about IL vulns as you mention in the final line? It would be great

    Comment by __fastcall — Saturday 19 March 2011 @ 23:36


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 198 other followers

%d bloggers like this: