Vigil@nce: Windows, bypassing AppLocker
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use two Windows methods, in order to bypass
AppLocker rules.
– Severity: 2/4
– Creation date: 15/11/2011
IMPACTED PRODUCTS
– Microsoft Windows 2008
– Microsoft Windows 7
DESCRIPTION OF THE VULNERABILITY
The AppLocker feature is used to define access rules to programs.
Two methods documented by Microsoft can be used to bypass
AppLocker.
The LoadLibraryEx() function is used to load a library. It can be
called with the LOAD_IGNORE_CODE_AUTHZ_LEVEL flag, so rules are
not applied. [severity:1/4]
The CreateRestrictedToken() function is used to obtain an access
token with its privileges. The SANDBOX_INERT flag of
CreateRestrictedToken() disables rules for processes which will be
created with this token. [severity:2/4]
A local attacker can therefore use two Windows features, in order
to bypass AppLocker rules.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-bypassing-AppLocker-11159