Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13038
HistoryJun 09, 2006 - 12:00 a.m.

Windows Software Restriction Policy Protection Bypass

2006-06-0900:00:00
vulners.com
402

Windows Software Restriction Policy Protection Bypass

Class: Protection bypass
Vector: Local
Tested on: Windows XP SP2, Windows Server 2003 SP1
Risk: Low

Remark:
I don't know, what is it - bug or feature, but I can't find any documentation on this issue.

Description:
Software Restriction Policies restrictions doesn't apply if user logon via secondary logon service
(Run As).

Test:

Create new SRP policy (in Local or Domain Level GPO, for User or for Computer). Change security levels
to Disallowed. Update policy and logon as restricted user. Copy notepad to the desktop. Try to launch
notepad from desktop (will fail). Right click on notepad, choose run as, select "Following users", and
type current user name and password. You'll see launched notepad. CLI version (runas.exe) provides
similar results.

Remark.

Why ACLs doesn't help?
If user has ability to write (create files) in any folder (for example - profile, temporary internet
files, whatever) he (or she of cause) becomes the owner of created files. And even we revoke NTFS
execute permission on any writable folder, user can change permissions on files, because he (or she of
cause) he is creator/owner.

Example (test is not an administrator):

cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
FILE_EXECUTE

                  BUILTIN\Users:(DENY)(Special access:)
                                WRITE_DAC
                                WRITE_OWNER

                  BUILTIN\Administrators:F
                  NT AUTHORITY\SYSTEM:F
                  WINXP01\test:F
                  BUILTIN\Users:R

C:\noexec>notepad.exe
Access denided.

C:\noexec>cacls.exe notepad.exe /G test:F
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F

C:\noexec>notepad.exe

Workaround:

Disable Secondary Logon service:

sc stop seclogon
sc config seclogon start= disabled

Timeline:

05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response

"Software Restriction Policy and Group Policy are not meant to be complete security featuresโ€ฆFor
full security, we recommend using ACLs to protect the appropriate resources in your environmentโ€ฆ"

09.06.06 - Public disclosure