One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221942 |
| Date de publication | 2022-08-23 12:40:09 (vue: 2022-11-25 18:05:33) |
| Titre | Understanding Network Access in Windows AppContainers |
| Texte | Posted by James Forshaw, Project ZeroRecently I've been delving into the inner workings of the Windows Firewall. This is interesting to me as it's used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise. I recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didn't meet the bar for a security bulletin so it's marked as WontFix. As the mechanism that the Windows Firewall uses to restrict access to the network from an AppContainer isn't officially documented as far as I know, I'll provide the details on how the restrictions are implemented. This will provide the background to understanding why my configuration issue allowed for network access. I'll also take the opportunity to give an overview of how the Windows Firewall functions and how you can use some of my tooling to inspect the current firewall configuration. This will provide security researchers with the information they need to better understand the firewall and assess its configuration to find other security issues similar to the one I reported. At the same time I'll note some interesting quirks in the implementation which you might find useful.Windows Firewall Architecture Primer Before we can understand how network access is controlled in an AppContainer we need to understand how the built-in Windows firewall functions. Prior to XP SP2 Windows didn't have a built-in firewall, and you would typically install a third-party firewall such as ZoneAlarm. These firewalls were implemented by hooking into Network Driver Interface Specification (NDIS) drivers or implementing user-mode Winsock Service Providers but this was complex and error prone. While XP SP2 introduced the built-in firewall, the basis for the one used in modern versions of Windows was introduced in Vista as the Windows Filtering Platform (WFP). However, as a user you wouldn't typically interact directly with WFP. Instead you'd use a firewall product which exposes a user interface, and then configures WFP to do the actual firewalling. On a default installation of Windows this would be the Windows Defender Firewall. If you installed a third-party firewall this would replace the Defender component but the actual firewall would still be implemented through configuring WFP. |
| Envoyé | Oui |
| Condensat | $addr $cap $ev $fs $pid $sock $template $token “allow “block “default “internetclient “microsoft “package “reserved 3 445conclusions : @firewallapi appcontainerloopback block capability datatype drivers equal however in internetwork ipaddress matchtype notequal null over permit rawdata service this type unsurprisingly wsh you +10 +198 0/8 0364 06d90532d5e6 07ba2a96 0e36809e3f6a 101:63046 10376294366095343616 1103 11:24:41 127 142 1433966124 155007bde926 164:80 18446744073709551614 18446744073709551615 1861862962 194 196 196:80 198 1:445 1a15 1b98 2021 216 21h1 2207 i 224 239 240 250 255 2642ec3e8653 274877906944 3458764513820540928 3460360287 3563698930 36029209335832512 36da9a47 379c 4038 406568a7 410d 412316868544 422487342972928 4266194842 42a5 42c7 434e 43ac 445 45c5f1d5 4616 4759 487498758 491c 4a0d89e527f8 4a2a 4af1 4b779f862e65 4cab7d4fb257 50*n 5237f74f 54912247 549755813888 6346 65888 66467 66469 66473 67989 67993 68071 68299 69039 6ad2 71075 71079 71199 71350 71640 72470 72753 7b51c091 8/5/2021 80201 824633728960 84ca 8bf1e8dac8c0 8wekyb3d8bbwe 9223372036854783936 9345 966d 9973 9b620559955e 9d96 ::new a2b2 a48d a58394b7 a605 a949 a;;cc;;;ac a;;cc;;;an a;;cc;;;s a;;cc;;;wd a;;ccrc;;;s a;np;cc;;;an a;np;cc;;;s a;np;cc;;;wd aa07 ability able about above abuse accept accepting access accessed accessing according act action actiontype actual actually adbb add added additional additionally address address can address condition addresses addressfamily adds administrator administrator: administrators afd after again against ahead ale alelayer alelayer parameter alice: all allow allowed allowing allows already also although always analysis analyzing and/or anonymous another any api apis app appcontainer appcontainerloopback appcontainers appealing appid application applications apply appmodelloopbackexception approach appropriate appx arbitrary arbitration architecture are are: aren argument array article article shows ascapability aside: ask assess assigned associated assume attack attempt auth authenticated authority available avoid avoiding away awesome b57d b63f back background backstop backstops badness bar base based basic basically basics basis bbd4 because been before behalf behavior being below better between beyond bfe binding block block result block then blocked blocking blocks boot both bottom bounded browser buffer built bulletin busy but bypass bypassed bypasses byteblob c391b53a c9e4 cached calculate calculator call callback callbacks called caller callers calling callout calloutid calloutinspection callouts can can: canonical cap capabilities capabilities enabled capability capabilityinternetclient capabilitysid capture captured capturing care case cases categorize ce70d777cdea certain change changed changing check checked checking checks chrome circular circumvents classification classify classifyallow classifydrop clear clearly client code coincidence com com on come command commands common commonly communicate communicates compare compared compares complete complex component components compromised computer conclusion condition conditionflags conditions confidence configuration configure configured configures configuring connect connected connecting connection connection: connections connectv4 considered console contain contains context continue contrast controlled converted converts copy correctly correspond corresponding corresponds could count course cover covered covering covers create created creates creating creator criteria cropped crucially ctor curious current currently currentprofile custom d86e23ea8a84 data date days debug debugger debugging decide decided decrement default default: defaulted defaults defender defined delay delays delving demonstrating denied depend depending depends description description: descriptor descriptors design designers des |
| Tags | Guideline |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.