sR6uWE

More documents

Recommendations

Info

INTERNALS: INITIALIZATIONAppend ACCESS_ALLOWED_ACEs to hSandboxToken DACL:• ACE 1: SID = TokenUser of hBrokerToken• ACE 2: SID = S-1-5-5-X-Y (Logon Session)Sets hSandboxToken integrity level:• S-1-16-4096 (Low Mandatory Level )Creates Sandbox directory, lpDirectory, with this ACL:• lpDirectory = GetUserProfileDirecotry() + lpSandboxName• Administrators; GENERIC_ALL access• Creator Owner; GENERIC_ALL access• User-SID of hBrokerToken; GENERIC_ALL access• Sandbox-SID; GENERIC_ALL access• Low Mandatory Level; 0x01accessCreates Sandbox directory, lpDirectory, with new profile:• lpDirectory = GetAppContainerFolderPath()+”\\Temp”• Profile capability = Sandbox-SIDChecks for creation of new desktopGUI Sub-System SecurityUnkObj.fAlternateWinStation == 1 UnkObj.fAlternateWinStation == 0Creates new desktop:• szDesktop = “Microsoft Office Isolated Environment”• dwDesiredAccess = GENERIC_ALLCreates and connects IPC named-pipe, pNamePipeSecDescriptor, with this ACL:• lpPipeName = “\\.\pipe\OfficeUser_” + lpSandboxName• nOutBufferSize = 0x00002000• Administrators; GENERIC_ALL access• Creator Owner; GENERIC_ALL access• User-SID of hBrokerToken; GENERIC_ALLaccess• Sandbox-SID; SYNCHRONIZE | READ_CONTROL | 0x8B access• Low Mandatory Level; 0x01 accessLabs.mwrinfosecurity.com | © MWR Labs 16
INTERNALS: INITIALIZATIONLowIntegrity-modeAdds Office-Capability-SID, if applicableAppContainer-modeUpdates attribute for sandbox process, UpdateProcThreadAttribute():• Attribute = PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES• lpValue = Office-Capability-SID (S-1-15-3-2929230137-1657469040)dwCreationFlags = 0x414CREATE_UNICODE_ENVIRONMENT | CREATE_NEW_CONSOLE | CREATE_SUSPENDEDdwCreationFlags = 0x80414EXTENDED_STARTUPINFO_PRESENT | CREATE_UNICODE_ENVIRONMENT |CREATE_NEW_CONSOLE | CREATE_SUSPENDEDCreates sandbox process with CreateProcessAsUser():• hToken = hSandboxToken (Low-Integrity mode) or hBrokerToken (AppContainer mode)• lpCommandLine = Full-path application with “/Embedding” switchAssign hSandboxProcess to hSandboxJobResume sandbox process• GUI sub-system security: No desktop isolation• Job object restrictions: No UI restrictions– “DIVING INTO IE 10’S ENHANCED PROTECTED MODE SANDBOX”• Read/Write to clipboard, screen scraping, screen capturesLabs.mwrinfosecurity.com | © MWR Labs 17
Page 1 and 2: UNDERSTANDING THE MICROSOFT OFFICE
Page 3 and 4: Outline• Introduction• Sandbox
Page 5 and 6: INTRODUCTION• Sandboxing 101- Wik
Page 7 and 8: MS OFFICE 2013 PROTECTED-VIEW SANDB
Page 9 and 10: OperatingINTERNALS: ARCHITECTUREBro
Page 11 and 12: INTERNALS: ARCHITECTURE• Elevatio
Page 13 and 14: OperatingINTERNALS: ARCHITECTUREBro
Page 15: INTERNALS: INITIALIZATIONMSO.sub_00
Page 19 and 20: INTERNALS: RESTRICTIONSFile Locatio
Page 21 and 22: INTERNALS: RESTRICTIONS• Capabili
Page 25 and 26: IPC: INTERNAL OBJECTSThreadMgr Obje
Page 27 and 28: IPC: MESSAGE FORMATMessage HeaderMe
Page 29 and 30: IPC: MESSAGE 0X001000• No message
Page 31 and 32: IPC: MESSAGE 0X091000Message Body f
Page 33 and 34: IPC: MESSAGE 0X0C1000• Windows Er
Page 35 and 36: WER ServerIPC: MESSAGE 0X0C1000Wind
Page 37 and 38: IPC: MESSAGE 0X0C1000• Issue 2: D
Page 39 and 40: IPC: MESSAGE 0X0C1000• DemoLabs.m
Page 41 and 42: IPC: MESSAGE 0X0F1000• “Microso
Page 45 and 46: MS OFFICE 2016: SANDBOX INTERNALS
Page 47 and 48: MS OFFICE 2016: IPC 0X161000• New
Page 51 and 52: REFERENCES• Yason, Mark Vincent.

sR6uWE

Create successful ePaper yourself

Delete template?

Save as template?