Didier Stevens

Monday 4 October 2010

LowerMyRights

Filed under: Malware,My Software,Vulnerabilities — Didier Stevens @ 0:30

Last year I posted about some techniques and tools to restrict the rights of applications on Windows XP when you run with admin rights. I mentioned a new tool, LowerMyRights, which I forgot to publish. So here it is.

You would use LowerMyRights.dll only if the other tools and techniques are not appropriate for your specific case. LowerMyRights is useful when you can’t create a new process with restricted rights, but when you’ve to restrict the rights of an existing process.

When this DLL is loaded inside an existing process, it will check a whitelist and a blacklist to decide if it has to restrict the process’ rights (it also checks if it’s running on Windows XP). If the application’s name if found in the blacklist and not in the whitelist, LowerMyRights will do its job.

First, it will remove all the privileges of the primary token, except the SEChangeNotifyPrivilege.

Second, it will create a restricted token (with ACLs denying Administrator and Power Users rights) and use this token for impersonation (it uses impersonation because Windows doesn’t allow modifications to the ACLs of a primary token).

This impersonation is also a weak point of LowerMyRights compared with the other tools: exploit code can switch back to the unrestricted primary token by calling RevertToSelf.

You can load LowerMyRights inside all processes by adding it to the AppInit_DLL registry key, but be careful, this might cripple your system as it is loaded inside every process (even at boot time), so please test first.
Or else you use LoadDLLViaAppInit, or add it to the import table like explained here.

The whitelist (lowermyrights.wl.txt) is just a text file with a list of applications to whitelist (i.e. not lower the rights). You must use full pathnames in the whitelist.
The blacklist (lowermyrights.bl.txt) is just a text file with a list of applications to blacklist (i.e. to lower the rights). You must not use full pathnames in the whitelist, but just the application’s name.
The idea I had with this different operation of the whitelist and blacklist, is that you would be able to whitelist specific applications while blacklisting copies/fakes of these applications.
An example with notepad will make this clear: by adding c:\windows\system32\notepad.exe to the whitelist and notepad.exe to the blacklist, you would be able to use the original notepad.exe with full rights, while copies of notepad (located at other locations) or other programs with the name notepad.exe would be restricted. With hindsight, I don’t think this dual list feature is useful, but I left it in anyways (the program is a year old, I used it for a year and I haven’t modified it).

Download:

LowerMyRights_V0_0_0_3.zip (https)

MD5: FF937173AB1CD2C7A9DF050D7ADF0696

SHA256: 9AA83F24031029F60862CAAE477B02DF0C0887BD6E9078A1E186FEF6DF873253

7 Comments »

  1. What is your opinion of Surun?

    http://kay-bruns.de/wp/software/surun/

    Comment by Yonatan Amir — Monday 4 October 2010 @ 11:42

  2. @Yonatan Amir Don’t know it, will have a look if Google translation is decent

    Comment by Didier Stevens — Monday 4 October 2010 @ 14:08

  3. […] de tool, die hand voor Adobe Reader-gebruikers zou zijn, als de bijbehorende uitleg, zijn op het blog van de Belg te vinden. Bron: security.nl __________________ Never be afraid to try something […]

    Pingback by Plaats hier software gerelateerd nieuws! - Page 25 — Monday 4 October 2010 @ 17:20

  4. […] LowerMyRights – didierstevens.com When this DLL is loaded inside an existing process, it will check a whitelist and a blacklist to decide if it has to restrict the process’ rights (it also checks if it’s running on Windows XP). […]

    Pingback by Week 40 in Review – 2010 | Infosec Events — Friday 22 October 2010 @ 11:57

  5. […] LowerMyRights – didierstevens.com When this DLL is loaded inside an existing process, it will check a whitelist and a blacklist to decide if it has to restrict the process’ rights (it also checks if it’s running on Windows XP). […]

    Pingback by Week 40 in Review – 2010 | Portable Digital Video Recorder — Friday 22 October 2010 @ 15:16

  6. The way to plug the RevertToSelf() loophole is to start a new process with the restricted token using CreateProcessAsUser. Read my BHUSA10 whitepaper for more information.

    Keep up the good work!

    /olle

    Comment by olleB — Tuesday 2 November 2010 @ 13:26

  7. @olleB Correct, that is what DropMyRights and StripMyRights do. LowerMyRights, however, is designed for the case where you can’t create a new process, but have to work with an existing process.

    Comment by Didier Stevens — Tuesday 2 November 2010 @ 17:19


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: