Data Center Security

 View Only

  • 1.  Remote code execution and shell

    Posted Nov 25, 2014 02:25 PM

    Hi everyone,

    I need some help fixing an interesting issue. I have a windows 2008 box with default "Hardened policy" applied to it. I am also running a vulnerable application on this box which allows remote code execution and throws back the command shell to the attacker machine. The vulnerable application is running under "Hardened" sandbox.

    With above settings, SDCS is not preventing the attack and the attacker is able to obtain the shell. My assumption based on some SDCS videos was that even in the case of successful exploit, SDCS will prevent the attacker to get the shell. Am I missing something?

    What policy changes are required to prevent any application from returing the shell without hindering the sysadmin operations?

    Regards,

    Nadeem



  • 2.  RE: Remote code execution and shell

    Posted Nov 27, 2014 04:08 AM

    Hi Nadeem,

    you didn't post the events that occured while running your exploit and which DCS version you are using so I have to guess what happens on your system. 

    In the hardened policy the hardened sandbox is the fallback sandbox for everything not known in your ruleset. Assigning the vulnerable application (and probably anything happening during the exploit) to this sandbox is the expected behaviour in your case. There are several thins I would do in our case:

    1. Did you try to change anything to the system with your shell? I saw several pentests where the attacker got a shell but didn't have any rights to change anything on the OS. So just sseing the shell doesn't mean that the attack was succesful.
    2. Try to change the a few standard options in your policy:
      1. Turn on all options in "Memory Controls" inside the hardened sandbox. This should prevent most changes in the memory to running applications.
      2. Got to General Settings in "Global Policy Options" and check which sandbox "Remote File Access" is set to. Use the read only or deny sandbox and whitelist any remote applications with higher rights later.
      3. Test your exploit again
    3. If the exploit still works you need to do more:
      1. Create a custom sandbox with hardened strategy
      2. Create an application rule for your vulnerable Application and assign it to your new sandbox
      3. Test your exploit again

    Please post the results again and let us know some more details of what happens during the exploit.

     

    Daniel