Microsoft Windows versions 8 and newer suffer from an AppLocker bypass vulnerability.
8236524fc90ea4284a62675e26576a42
Hi @ll,
Windows 8 and newer versions (Windows 7 and Windows Server 2008 R2
with KB2532445 or KB3125574 installed too) don't allow unprivileged
callers to circumvent AppLocker and SAFER rules via
LoadLibraryEx(TEXT("<arbitrary DLL>"), NULL, LOAD_IGNORE_CODE_AUTHZ_LEVEL);
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and <https://support.microsoft.com/kb/2532445>
| LOAD_IGNORE_CODE_AUTHZ_LEVEL 0x00000010
|
| If this value is used, the system does not check AppLocker rules
| or apply Software Restriction Policies for the DLL. This action
| applies only to the DLL being loaded and not to its dependencies.
| This value is recommended for use in setup programs that must
| run extracted DLLs during installation.
|
| Windows Server 2008 R2 and Windows 7:
| On systems with KB2532445 installed, the caller must be running
| as "LocalSystem" or "TrustedInstaller"; otherwise the system
| ignores this flag.
Unprivileged users can but bypass AppLocker or SAFER alias Software
Restriction Policies via
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi = {0};
CreateProcess(TEXT("<arbitrary exe>"), NULL, NULL, NULL, FALSE,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL, NULL, NULL, &si, &pi);
on ALL versions from Windows XP to Windows 10!
See <https://msdn.microsoft.com/en-us/library/ms684863.aspx>
| CREATE_PRESERVE_CODE_AUTHZ_LEVEL 0x02000000
|
| Allows the caller to execute a child process that bypasses the
| process restrictions that would normally be applied automatically
| to the process.
Mitigation:
~~~~~~~~~~~
Create an "AppCert.Dll" that exports CreateProcessNotify and
set the following registry entry
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppCert.Dll"="<path>\AppCert.Dll"
...
Note: AppCertDlls are loaded at the first call of one of the
CreateProcess*() functions. Process creation is denied
if one of them returns STATUS_UNSUCCESSFUL from its
CreateProcessNotify() routine when called with the flag
PROCESS_CREATION_QUERY.
--- APPCERT.C ---
#pragma comment(linker, "/DLL")
#ifdef _WIN64
#pragma comment(linker, "/EXPORT:CreateProcessNotify,PRIVATE")
#else
#pragma comment(linker, "/EXPORT:CreateProcessNotify=_CreateProcessNotify@8,PRIVATE")