Did You Get Your Token?

Daniel and Azure (Keen Team)

ABOUT US

Daniel King (金龙) @long123king• Keen Team Security Researcher• 3/5 years working experience, former TrendMicro employee• Windows Security Research, keen on uncovering secrets Under The Hood

Azure (杨杰韬) @Hoshizoranoaoi• Keen Team Intern Security Researcher• Senior student at China University of Petroleum• Sandbox Bypass, keen on pwning programs and devices

Keen Team @K33nTeam• 5 Champions in Pwn2Own• 2 Nominations for Pwnies Awards 2015• Hosting GeekPwn 2014, 2015• 10%+ foreign team members• Peter Hlavaty and Marco Grassi were ZeroNights speakers

OUTLINE

1. Windows Security Model2. Access Check3. Token4. Object and Security Descriptor5. Protected Process6. Sandbox7. Browser Sandbox details8. A story about sandbox bypass9. How to make use of sandbox in Windows

Windows Security Model

1. Securable resources are referenced as Objects

2. Each object has its own Security Descriptor

3. Each process has a Primary Token and zero or more Impersonation Tokens

4. Access Check happens whenever an object is created or opened

5. Effective Token is checked against the object’s Security Descriptor

6. Results of Access Check are cached to each host process’s Handle Table

7. Objects and Processes are all hierarchical, so Security Descriptors and Tokens are inheritable

Access Check

1. Discretionary Access Control List Check

2. Privileges and Super Privileges Check

3. Integrity Level and Mandatory Policy Check

4. Restricted Token’s Access Check

5. AppContainer’s Capabilities Check

6. Trust Level Check

Token

Token Layout

Token Layout

TokenInsighthttps://github.com/long123king/TokenInsight

An application for obtaining, dumping and modifying token from user land.

Calculate Hash of Sid Groups

Linked Token and Session

Object Layout

Security Descriptor Layout

Object Layout

Object Directory Layout

Object Type

Protected Process

tokenexthttps://github.com/long123king/tokenext

A windbg extension, extracting token related contents

Protected Process

PspCheckForInvalidAccessByProtection

If the Host should be subject to Target’s Restrictions?

Kernel Mode Host Target Not Protected PP Host PPL Host, PPL Target

Host Signer Dominates Guest Signer

Others√

RESTRICTIONS PASSES ALLOWED ACCESS

PROCESS

0x000fc7fe 0x00003801

PROCESS_SET_LIMITED_INFORMATIONPROCESS_QUERY_LIMITED_INFORMATIONPROCESS_SUSPEND_RESUMEPROCESS_TERMINATE

0x000fc7ff 0x00003800PROCESS_SET_LIMITED_INFORMATIONPROCESS_QUERY_LIMITED_INFORMATIONPROCESS_SUSPEND_RESUME

THREAD

0x000fe3fd 0x00001c02

THREAD_RESUMETHREAD_QUERY_LIMITED_INFORMATIONTHREAD_SET_LIMITED_INFORMATIONTHREAD_SUSPEND_RESUME

0x000fe3ff 0x00001c00THREAD_RESUMETHREAD_QUERY_LIMITED_INFORMATIONTHREAD_SET_LIMITED_INFORMATION

Protected Process

Protected Process

Sandbox

IntegrityLevelSid

SD IL

Another 2 kinds of sandbox

1. Sandbox based on AppContainer and its Capabilities Sid

Windows Apps and IE Enhanced Protected Mode are built upon this kind of sandbox

2. Sandbox based on Trust Level

\Windows\SharedSection [0x61: Trust Label Lite(PPL) PsProtectedSignerTcb(6)]

\KnownDlls32\* [0x61: Trust Label Lite(PPL) PsProtectedSignerTcb(6)]

\KnownDlls\* [0x61: Trust Label Lite(PPL) PsProtectedSignerTcb(6)]

Token Object of System Process [0x62: Trust Label Protected(PP) PsProtectedSignerTcb(6)]

Browser Sandbox

IE Enhanced Protected Mode

IE Protected Mode

Edge

Chrome

The way a token from broker to render

Render

IEShims

Parent ProcessOther Broker

Internet Explorer 11

The way a token from broker to render

Edge

EShims

BrowserBroker

Edge

Other Broker

Token

Is there any way to escape sandbox logically?

Symlink?

Fixed in APSB-15-09

Did you really get your token?

NO, this is my file!

Code after fix You need more elegant way?

Mitigations about sandbox bypass

Finally fixed in MS15-090

How to make use of Windows sandbox?

Job Object

Modify file ACE

Process Mitigation

Policy Spawn

Integrity Level Drop

https://github.com/trailofbits/AppJailLauncher

Questions?

Special thanks

Jihui Lu (@promised_lu)Alex Ionescu(@aionescu)James Forshaw (@tiraniddo)Peter Hlavaty (@zer0mem)Liang Chen (@chenliang0817)

All KeenTeam members and you