Windows Software Restriction Policy Protection Bypass



Dear bugtraq@xxxxxxxxxxxxxxxxx,

It was reported anonymously with request to post to lists.

Windows Software Restriction Policy Protection Bypass

Author: Anonymous
Class: Restrictions bypass
Vector: Local
Vendor: Microsoft
Sofware: Windows XP SP2, Windows Server 2003 SP1
Risk level: Low

Remark:

I don't know, what is it - bug or feature, but I can't find any
documentation on this issue.

Description:

Software Restriction Policies restrictions doesn't apply if user logon
via secondary logon service (Run As).

Test:

Create new SRP policy (in Local or Domain Level GPO, for User or for
Computer). Change security levels to Disallowed. Update policy and logon
as restricted user. Copy notepad to the desktop. Try to launch notepad
from desktop (will fail). Right click on notepad, choose run as, select
"Following users", and type current user name and password. You'll see
launched notepad. CLI version (runas.exe) provides similar results.

Remark.

Why ACLs are not workaround?
If user has ability to write (create files) in any folder (for example - profile, temporary internet
files, whatever) he (or she of cause) becomes the owner of created files. And even we revoke NTFS
execute permission on any writable folder, user can change permissions on files, because he (or she of
cause) is creator/owner for said file.

Example (user 'test' is not an administrator):

cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
FILE_EXECUTE

BUILTIN\Users:(DENY)(Special access:)
WRITE_DAC
WRITE_OWNER

BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
WINXP01\test:F
BUILTIN\Users:R

C:\noexec>notepad.exe
Access denided.

C:\noexec>cacls.exe notepad.exe /G test:F
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F

C:\noexec>notepad.exe

Workaround:

Disable Secondary Logon service:

sc stop seclogon
sc config seclogon start= disabled

Timeline:

05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response

"Software Restriction Policy and Group Policy are not meant to be
complete security features...For full security, we recommend using ACLs
to protect the appropriate resources in your environment..."

09.06.06 - Public disclosure


--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/



Relevant Pages