воскресенье, 9 августа 2015 г.

Universal way to bypass Group Policy (SRP) by Limited User

(It's the post from July 2011)

What is it? Group policy is a powerful feature of Windows OS.
From wiki: “Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment“

For example, it can block users’ access to Regedit or IE proxy changing. So it is additional limits for users, besides file system and other permissions. One of the main parts of Group Policy is represented by Software Restriction Policy (SRP). Administrator can set a little list of software which can be run by limited user with SRP. Therefore, SRP can level up security of whole system by restricting user’s rights.

How does it work? 

When a user launches a process it’s the parent process that checks SRP to see if the execution of the child should be allowed or blocked. The parent process uses NtQueryValueKey to query the Registry value HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled, which if present and non-zero indicates that SRP is turned on.

How can we bypass it? 

There are few different ways. Their main idea is that SRP check is situated in user space. A parent process is owned by a limited user. Therefore, a user can bypass SRP by different memory manipulations.


Marc Russinovich posted a great tool – Gpdisable and a good explanation of SRP on his blog. Gpdisable is now unavailable, but it can be found in Internet Gpdisable uses dll-injection techniques, to inject into a parent process memory. Then “it fools the SRP code by returning an error value”, when SRP tries to query TransparentEnabled. Therefore, a parent process can run any other process.


Gpdisable consists of 2 files – gpdisable.exe and gpdisable.dll. gpdisable.exe – inject DLL into process. gpdisable.dll – DLL for bypassing SRP. But in real life, there is a problem - to inject gpdisable.dll. Because in a good restricted system a user has access to run only software from white list. So you should run gpdisable.exe, but you don’t have right to do it.

Real Attack!

When I read about binary planting, I’ve got an idea how we can inject gpdisable.dll in process. It’s simple – dll-hijacking. But almost all big software (like MS Word, Excel and Notepad :) doesn’t have such vulnerabilities. That’s bad. But if we use "advanced" dll-hijacking (COM server-based binary planting), we can do it almost of all software. I won’t retell an idea of such binary planting, but you can get it from Acros Security Blog.

Steps to bypass SRP for XP:
  • rename gpdisable.dll to deskpan.dll;
  • create a new folder and name it as files.{42071714-76d4-11d1-8b24-00a0c9068ff3};
  • place deskpan.dll to the new folder;
  • open the folder;
  • create a new rich text document in the folder;
  • double-click the rich-text document.
  • Wordpad runs with gpdisable.dll
  • Bypassed :) We can run any process.

There are similar steps for Windows Vista/7 and others. In addition, all that steps we can do from “Open” or “Save As” dialogue, that can be useful for Citrix systems.

Thanks to Ryan Sears.
And thank you, for your attention. Alexey Tyurin

Комментариев нет:

Отправить комментарий