Matt Nelson BlueHat Seattle 2017 presentation

1. “_____ Is Not a Security
Boundary."
Things I Have Learned and Things That
Have Gotten Better from Researching
Microsoft Software
Matt Nelson (@enigma0x3)
SpecterOps

2. Overview
◦ Intro
◦ Disclaimer
◦ Why this is relevant
◦ Security Boundaries and Us
◦ Practical Examples
◦ Conclusion

3. Intro
◦ Matt Nelson (@enigma0x3)
▫ Job: Security Researcher & Red Teamer
@SpecterOps
▫ Trainer: BlackHat, AT:RTO
▫ Blog: enigma0x3.net
▫ Speaker: Various BSides, DerbyCon,
ShmooCon, WWHF, OPCDE

4. Disclaimer
◦ The following presentation is from the
perspective of an external security
researcher.
◦ Opinions are derived from first-hand
experience reporting atypical
abuse/bypasses.

5. I Replicate Persistent
Adversaries

6. Say What?
◦ My day job is to attack massive
organizations.
◦ I face the same hurdles that the bad
guys do.
▫ I also innovate around those
hurdles… just like the bad guys do.

7. The Problem
◦ People rely on vendors to protect them.
▫ This very often includes organizations as well…
◦ This works with serviceable bugs
▫ Not so well with security “feature” bypasses
◦ Organizations are confused on what they
need to fix and what is automatically fixed.

8. The Problem
◦ Most organizations lack basic security
posture
▫ Patching, logging, etc.
◦ Ideal scenario:
▫ Organizations use things like Application
Whitelisting, Command Line Logging, Network
Segmentation

9. The Reality

10. The Problem
◦ Researchers face a similar issue
▫ How do we know what to report?
◦ Some researchers have gotten “This isn’t
a boundary” responses.
▫ This can cause hesitation

11. Security Boundaries
and Us

12. Security Boundary?
“What’s a security boundary? It’s a wall
through which code and data can’t pass
without the authorization of a security
policy.“ - Mark Russinovich
https://blogs.technet.microsoft.com/markrussinovich/2007/02/12/psexec-user-
account-control-and-security-boundaries/

13. Implications?
◦ I hate the phrase “Security Boundary”
◦ Historically, the deciding factor if a fix is
issued or not.
◦ Just because it isn't a boundary, doesn’t
mean it shouldn't be fixed.

14. Implications?
◦ This has gotten much better as of late
◦ We now have “Defense in Depth” fixes
▫ Pushed out Patch Tuesday or added into new Windows
builds
◦ All the while, attackers don’t care and use
everything they can in the wild.

15. “Attackers don’t care
about security
boundaries” - Jessica
Payne at MSIgniteNZ
(@jepayneMSFT)
https://twitter.com/jepayneMSFT/status/791702594309677056

16. What Does This Mean?
◦ “Security Boundaries” == touchy subject
▫ Not cut & dry what is/isn’t
◦ Security Researchers get grumpy when
hearing “Technology X is not a security
boundary”
◦ Attackers. Don’t. Care.

17. Look At It This Way...
◦ Comes down to economics
◦ Is a security feature an impediment to
an attacker? If so, investing in a bypass
is worth it.
◦ Security Boundary or not, raising the
cost for attackers is a win!

18. Practical Examples

19. Outlook Forms/Rules
◦ Outlook Rule/Form attacks
▫ Remotely sync malicious Outlook rules or forms
(with scripts) for code-execution
▫ Discovered by @silentbreaksec
■ https://silentbreaksecurity.com/malicious-outlook-rules/
▫ Weaponized with Ruler from SensePost
◦ Feature of Office, not a vulnerability
▫ Fixed in KB4011091!

20. OLE
◦ Object Linking and Embedding
▫ Attackers’ favorite for smuggling in malicious
payloads via Office documents
◦ This is what I use on almost every
assessment
◦ Again, just a feature.
▫ So, not worthy of a fix, right?

21. OLE

22. Office 2016
◦ This is what ignoring “boundaries” and
raising the cost for attackers looks like.
◦ These 2 attacks are feature abuse only
▫ No bug is abused
▫ Yet, it was still fixed!

23. Protected View
◦ Designed to prevent various Office
components from being used when the doc
is from the internet
▫ Prevents automatic exploitation
◦ Most Office applications/file formats are
enrolled
▫ Except OneNote, Publisher and Excel
SLK files

24. Protected View
◦ Typically patched
▫ CVE-2016-3279 for example (.XLA files not
enrolled)
◦ Why are Publisher/OneNote/SLK files not?
▫ Mostly the same functionality
▫ I have used these formats to compromise clients
from the internet.

25. Protected View: DDE
◦ Dynamic Data Exchange
▫ Allows command execution
▫ It is a feature!
◦ Widely used by ITW malware, such as Locky
◦ The Response?

26. Protected View: DDE
https://www.theregister.co.uk/2017/10/17/microsoft_dde_attacks/

28. Office 2016
◦ Some things are GREAT
◦ Others, not so much
◦ Sometimes, it’s the simple things that can
make a huge difference

29. Anti-Malware Scan
Interface

30. Anti-Malware Scan Interface
◦ Standard interface for hooking scripting
engines (WSH/PowerShell,VBA)
◦ Helps facilitate detecting “in-memory”
attacks executed through Scripting
Languages

31. Anti-Malware Scan Interface

32. Anti-Malware Scan Interface
◦ AMSI bypass == AV-free code-execution
◦ Many exist
◦ Do we report these? Or do we save time
and publically disclose with mitigation
options?
▫ Attack service can get overwhelming...

33. Example: COM Hijacking
◦ Hijacks the AMSI COM server via the
registry
◦ Process calls CoCreateInstance() to
instantiate the AMSI COM component
◦ Calling process == Medium integrity level
▫ This results in searching HKCU for the COM
server

35. Example: COM Hijacking

36. Anti-Malware Scan Interface
◦ Is this a “boundary”?
▫ No.
◦ Is this a hurdle (some) attackers have to
jump over?
▫ Yes. A massive one.
◦ Do security vendors take a dependency
on AMSI?
▫ Yes.

37. Anti-Malware Scan Interface
◦ This is where things get weird.
▫ Vendors can’t fix everything
◦ How do you defend against a process
that has full access to its own memory
space?
◦ People need to defend themselves…
▫ Constrained Language Mode, Application
Whitelisting, etc.

38. Example: Unloading via
Reflection

39. Example: AMSI DLL Hijack
◦ The AMSI DLL isn’t loaded from a safe
location
▫ So, it uses the default Windows search order
◦ Load scripting engine from place you
control, drop fake AMSI DLL in same
directory
▫ Blogged about by @Cneelis
▫ Stop letting low-rep binaries execute/load

41. Anti-Malware Scan Interface
◦ So, some of them were fixed and some
were not
▫ Why not fix all those that are possible? (is it cost?)
◦ This raises the bar for an attacker
▫ They will rely on techniques such as reflection
(PowerShell)
▫ Makes logging these bypasses (in WMF 5) trivial
◦ Combine these fixes with CLM/AWL

42. User Account Control

43. User Account Control
◦ Designed to break out administrative
and standard user rights
◦ Explicitly stated it isn’t a boundary
▫ I completely agree
◦ Yet, it is a barrier that already elevated
attackers have to get around
▫ Why not make it harder?

44. User Account Control
◦ UAC has a MASSIVE attack surface
▫ It is hard to keep up on it
◦ UAC bypasses were introduced in 2009
and didn’t start to get fixed until 2016…
▫ But things are getting better!!

45. Example: UAC Bypass via
EventVwr
◦ Eventvwr.exe starts mmc.exe with the
Event Viewer MSC snap-in
▫ How does it know what binary handles .msc files?
◦ Looks in HKCU for it :-)
◦ Hijack that and you have the ability to
elevate without user interaction

46. Example: UAC Bypass via
EventVwr

47. Example: UAC Bypass via
EventVwr

48. Example: UAC Bypass via
EventVwr
◦ Populating that key with a binary +
parameters == code execution
◦ Malware authors ate this one up…
◦ Great example: UAC isn’t a boundary,
yet attackers care a lot about it
▫ Why not fix it?

49. Example: UAC
Bypass via
EventVwr
https://twitter.com/JohnLaTwC/status/817010045464367111

50. Example: UAC Bypass via
EventVwr
◦ As mentioned before, things are getting
better...
http://www.winhelponline.com/blog/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10-creators-update/

51. User Account Control
◦ Please keep it up!
◦ Many UAC bypasses have been fixed
▫ Many have not…
◦ We know it isn’t trivial
▫ It makes attacker life suck, though

52. Device Guard

53. Device Guard
◦ The best application whitelisting solution
to date
▫ But doesn’t scale…yet.
◦ You define what you trust in a CI policy
▫ Certificates, hashes, etc.
▫ Both Kernel and Usermode
◦ Requires a bypass to run unsigned code
that isn’t in allowed via the policy

54. Device Guard
◦ Is this a hurdle that (some) attackers
have to jump over?
▫ Absolutely
◦ Bypasses are *usually* serviced with
CVEs
◦ Some bugs are not though (.NET)
▫ Why not??

55. Device Guard
◦ The difference: Device Guard makes a
security guarantee
▫ If you have a policy deployed, code that doesn’t
conform to that policy can’t run
◦ If you break that guarantee, it gets a CVE
▫ Usually…
▫ http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-
methods.html

56. Case Study: CVE-2017-0007
◦ UMCI in Device Guard didn’t properly
validate the call when checking a file’s
integrity
◦ Normally, an unsigned file should be
prevented from executing

58. Case Study: CVE-2017-0007
◦ So, what happens if we take an
embedded signature block from a
Microsoft signed file and apply it to our
own?

60. Case Study: CVE-2017-0007
◦ As you can see, the digital signature of
that file did not validate
▫ This is expected
◦ Since that file is not legitimately signed
and doesn’t pass integrity checks, UMCI
should block it
▫ Right?

62. Conclusion

63. This Problem Isn’t Trivial
◦ How can you fix everything?
▫ It isn’t practical
◦ Security Feature bypasses take a very
low precedence
◦ Ideally, organizations would wake up
and use all the latest and greatest
▫ WDATP, ATA, etc.

64. Call to Action
◦ Attackers are going to bypass these
features regardless of their “fix” priority
◦ Vendors & Defensive teams will be left
scrambling to write detections for these
bypasses
◦ Perform internal research

65. Call to Action
◦ Consider raising the service bar
▫ Doesn’t have to be a CVE; DiD fixes work too!
◦ Issue fixes consistently
◦ No fix? Issue mitigation options
◦ Communicate with researchers!
▫ Explain the reason for not fixing instead of “It
just isn’t a security boundary”

66. Shoutouts
◦ Special thanks to Nate Warfield
(MSRC), Lee Holmes (Azure), Scott
Anderson (Device Guard), Tom
Gallagher (Office) & Ryan Kivett!

67. Thanks!!!
Any questions?
@enigma0x3
matt@specterops.io