• Aucun résultat trouvé

Did You Get Your Token?

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Did You Get Your Token?"

Copied!
31
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Did You Get Your Token?

Daniel and Azure (Keen Team)

(2)

ABOUT US

Daniel King (金龙) @long123king

• Keen Team Security Researcher

• 3/5 years working experience, former TrendMicro employee

• Windows Security Research, keen on uncovering secrets Under The Hood Azure (杨杰韬) @Hoshizoranoaoi

• Keen Team Intern Security Researcher

• Senior student at China University of Petroleum

• Sandbox Bypass, keen on pwning programs and devices Keen Team @K33nTeam

• 5 Champions in Pwn2Own

• 2 Nominations for Pwnies Awards 2015

• Hosting GeekPwn 2014, 2015

• 10%+ foreign team members

• Peter Hlavaty and Marco Grassi were ZeroNights speakers

(3)

OUTLINE

1. Windows Security Model 2. Access Check

3. Token

4. Object and Security Descriptor 5. Protected Process

6. Sandbox

7. Browser Sandbox details

8. A story about sandbox bypass

9. How to make use of sandbox in Windows

(4)

Windows Security Model

1. Securable resources are referenced as Objects 2. Each object has its own Security Descriptor

3. Each process has a Primary Token and zero or more Impersonation Tokens 4. Access Check happens whenever an object is created or opened

5. Effective Token is checked against the object’s Security Descriptor 6. Results of Access Check are cached to each host process’s Handle Table

7. Objects and Processes are all hierarchical, so Security Descriptors and Tokens are inheritable

(5)

Access Check

1. Discretionary Access Control List Check 2. Privileges and Super Privileges Check

3. Integrity Level and Mandatory Policy Check 4. Restricted Token’s Access Check

5. AppContainer’s Capabilities Check 6. Trust Level Check

(6)

Token

(7)

Token Layout

(8)

Token Layout

TokenInsight

https://github.com/long123king/TokenInsight

An application for obtaining, dumping and modifying token from user land.

(9)

Calculate Hash of Sid Groups

(10)

Linked Token and Session

(11)

Object Layout

(12)

Security Descriptor Layout

(13)

Object Layout

(14)

Object Directory Layout

(15)

Object Type

(16)

Protected Process

tokenext

https://github.com/long123king/tokenext

A windbg extension, extracting token related contents

(17)

Protected Process

PspCheckForInvalidAccessByProtection

If the Host should be subject to Target’s Restrictions?

Kernel Mode Host

Target Not Protected

PP Host

PPL Host, PPL Target

Host Signer Dominates Guest Signer

Others

RESTRICTIONS PASSES ALLOWED ACCESS

PROCESS

0x000fc7fe 0x00003801

PROCESS_SET_LIMITED_INFORMATION PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SUSPEND_RESUME

PROCESS_TERMINATE

0x000fc7ff 0x00003800 PROCESS_SET_LIMITED_INFORMATION PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SUSPEND_RESUME

THREAD

0x000fe3fd 0x00001c02

THREAD_RESUME

THREAD_QUERY_LIMITED_INFORMATION THREAD_SET_LIMITED_INFORMATION THREAD_SUSPEND_RESUME

0x000fe3ff 0x00001c00 THREAD_RESUME

THREAD_QUERY_LIMITED_INFORMATION THREAD_SET_LIMITED_INFORMATION

(18)

Protected Process

(19)

Protected Process

(20)

Sandbox

IntegrityLevelSid

SD IL

(21)

Another 2 kinds of sandbox

1. Sandbox based on AppContainer and its Capabilities Sid

Windows Apps and IE Enhanced Protected Mode are built upon this kind of sandbox

2. Sandbox based on Trust Level

\Windows\SharedSection [0x61: Trust Label Lite(PPL) PsProtectedSignerTcb(6)]

\KnownDlls32\* [0x61: Trust Label Lite(PPL) PsProtectedSignerTcb(6)]

\KnownDlls\* [0x61: Trust Label Lite(PPL) PsProtectedSignerTcb(6)]

Token Object of System Process [0x62: Trust Label Protected(PP) PsProtectedSignerTcb(6)]

(22)

Browser Sandbox

IE Enhanced Protected Mode IE Protected Mode

Edge

Chrome

(23)

The way a token from broker to render

Render IEShims

Parent Process Other Broker

Internet Explorer 11

(24)

The way a token from broker to render

Edge EShims

BrowserBroker

Edge

Other Broker

(25)

Token

(26)

Is there any way to escape sandbox logically?

Symlink?

Fixed in APSB-15-09

(27)

Did you really get your token?

NO, this is my file!

Code after fix You need more elegant way?

(28)

Mitigations about sandbox bypass

Finally fixed in MS15-090

(29)

How to make use of Windows sandbox?

Job Object

Modify file ACE

Process Mitigation

Policy Spawn

Integrity Level Drop

https://github.com/trailofbits/AppJailLauncher

(30)

Questions?

(31)

Special thanks

Jihui Lu (@promised_lu) Alex Ionescu(@aionescu) James Forshaw (@tiraniddo) Peter Hlavaty (@zer0mem) Liang Chen (@chenliang0817)

All KeenTeam members and you

Références

Télécharger maintenant ( PDF - 31 Page - 1.88 MB )

Documents relatifs

Token transfer in a faulty network

Does there exist an e-safe semi-adaptive token transfer algorithm without information exchange, working in time o (n log n) if both links and nodes can

Token Ring/IEEE 802.5 9

the Reservation field (the least significant 3 bits), as well as a token bit (used to differentiate a token from a data/command frame) and a monitor bit (used by the active monitor

Dr. AI, where did you get your degree?

Rather than developing new regulations based on our existing rules for static medical products, we have proposed a novel regulatory framework for AI-enabled devices that is analogous

Idiom Token Classification with Distributed Semantics

Idiom token classification is the task of deciding for a set of potentially idiomatic phrases whether each occurrence of a phrase is a literal or idiomatic usage of the

Optimal speech motor control and token-to-token variability: a Bayesian modeling approach

(H 6a ) For a three-phoneme sequence, the planning prob- lem consists in finding a set of three points in the 6- dimensional control space that minimizes the perime- ter of the

On Secure Embedded Token Design

To achieve this we use modu- larised Yao circuits, which also support our second contribution: the first Yao-based implementation of a secure authentication payload, namely HMAC

Youth ! ... How did you find your job ?

The dependent variable here is the job access channel which takes 6 exclusive alternatives: direct procedures (direct job applications and job ads), network of personal and

Running head: HOW MANY LIKES DID YOU GET? 1 How Many Likes Did You Get?

Research often looks at social comparison with respect to social media and commonly finds self-esteem to be negatively impacted.. As Facebook is a dominant outlet of