Windows Software Restriction Policy Protection Bypass

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Windows Software Restriction Policy Protection Bypass
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Fri, 9 Jun 2006 12:05:18 +0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear bugtraq@xxxxxxxxxxxxxxxxx,

  It was reported anonymously with request to post to lists.

Windows Software Restriction Policy Protection Bypass

Author:          Anonymous
Class:           Restrictions bypass
Vector:          Local
Vendor:          Microsoft
Sofware:         Windows XP SP2, Windows Server 2003 SP1
Risk level:      Low

Remark:

I  don't  know,  what  is  it  -  bug  or  feature, but I can't find any
documentation on this issue.

Description:

Software  Restriction  Policies restrictions doesn't apply if user logon
via secondary logon service (Run As).

Test:

Create  new  SRP  policy  (in Local or Domain Level GPO, for User or for
Computer). Change security levels to Disallowed. Update policy and logon
as  restricted  user. Copy notepad to the desktop. Try to launch notepad
from  desktop (will fail). Right click on notepad, choose run as, select
"Following  users",  and type current user name and password. You'll see
launched notepad. CLI version (runas.exe) provides similar results.

Remark. 

Why ACLs are not workaround?
If user has ability to write (create files) in any folder (for example - 
profile, temporary internet
files, whatever) he (or she of cause) becomes the owner of created files. And 
even we revoke NTFS
execute permission on any writable folder, user can change permissions on 
files, because he (or she of
cause) is creator/owner for said file.

Example (user 'test' is not an administrator):

cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
                                    FILE_EXECUTE

                      BUILTIN\Users:(DENY)(Special access:)
                                    WRITE_DAC
                                    WRITE_OWNER

                      BUILTIN\Administrators:F
                      NT AUTHORITY\SYSTEM:F
                      WINXP01\test:F
                      BUILTIN\Users:R

C:\noexec>notepad.exe
Access denided.

C:\noexec>cacls.exe notepad.exe /G test:F
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F

C:\noexec>notepad.exe

Workaround:

Disable Secondary Logon service:

sc stop seclogon
sc config seclogon start= disabled

Timeline:

05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response

"Software  Restriction  Policy  and  Group  Policy  are  not meant to be
complete  security features...For full security, we recommend using ACLs
to protect the appropriate resources in your environment..."

09.06.06 - Public disclosure
  

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/

Follow-Ups:
- RE: Windows Software Restriction Policy Protection Bypass
  - From: Roger A. Grimes
- Re: [Full-disclosure] Windows Software Restriction Policy Protection Bypass
  - From: Dinis Cruz

Prev by Date: [USN-288-2] PostgreSQL server/client vulnerabilities
Next by Date: P.A.I.D v2.2
Previous by thread: [USN-288-2] PostgreSQL server/client vulnerabilities
Next by thread: Re: [Full-disclosure] Windows Software Restriction Policy Protection Bypass
Index(es):
- Date
- Thread