search

M2Team / Privexec

Run the program with the specified permission level (C++20 required)
MIT License
327 stars 52 forks source link

Request: Low Privilege AppContainer (LPAC) #12

Closed WildByDesign closed 5 years ago

WildByDesign commented 5 years ago

Now that the AppContainer functionality is working 100%, it would be great to have an option to run within LPAC sandbox as well. James Forshaw (Google Project Zero / Chrome sandbox) suggested to me that it is just one additional security attribute during launch to be low privilege AC.

This would require an additional item on the Privexec drop down menu and wsudo.

AppContainer AppContainer (LPAC) Mandatory Integrity Control No Elevated (UAC) Administrator

Attribute as shown from Process Hacker: LPAC

Code that verifies LPAC is enabled or not: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/NtToken.cs#L2583

This security attribute needs to be added during process launch and determines that AppContainer is Low Privilege AppContainer (LPAC) which is more secure in comparison to regular AC.

Therefore, having a choice between two types of AppContainer on menu would be excellent.

You already have LPAC capabilities, so that part of the development is already there. You just need the WIN://NOALLAPPPKG security attribute added to token during launch.

Thank you. Keep up the fantastic work!

fcharlie commented 5 years ago

@WildByDesign Maybe just add a checkbox to support whether to enable LPAC.

Use SetTokenInformation set TokenUserClaimAttributes 

// https://docs.microsoft.com/zh-cn/windows/desktop/api/winnt/ns-winnt-_claim_security_attribute_v1
typedef struct _CLAIM_SECURITY_ATTRIBUTE_V1 {
  PWSTR Name;
  WORD  ValueType;
  WORD  Reserved;
  DWORD Flags;
  DWORD ValueCount;
  union {
    PLONG64                                      pInt64;
    PDWORD64                                     pUint64;
    PWSTR                                        *ppString;
    PCLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE         pFqbn;
    PCLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
  } Values;
} CLAIM_SECURITY_ATTRIBUTE_V1, *PCLAIM_SECURITY_ATTRIBUTE_V1;

// https://docs.microsoft.com/zh-cn/windows/desktop/api/winnt/ns-winnt-_claim_security_attributes_information
typedef struct _CLAIM_SECURITY_ATTRIBUTES_INFORMATION {
  WORD  Version;
  WORD  Reserved;
  DWORD AttributeCount;
  union {
    PCLAIM_SECURITY_ATTRIBUTE_V1 pAttributeV1;
  } Attribute;
} CLAIM_SECURITY_ATTRIBUTES_INFORMATION, *PCLAIM_SECURITY_ATTRIBUTES_INFORMATION;
WildByDesign commented 5 years ago

@fcharlie Yes, I agree, a checkbox would work best.

fcharlie commented 5 years ago

@WildByDesign See: https://github.com/M2Team/Privexec/commit/587a21e813b1ae8bdab246c1c1fcf84137b09a0d SetTokenInformation not work.

fcharlie commented 5 years ago

Use UpdateProcThreadAttribute set ProcThreadAttributeAllApplicationPackagesPolicy.

Now Privexec/WSUDO support LPAC

WildByDesign commented 5 years ago

Congratulations on this latest achievement/development, sir. This program becomes more and more powerful. Thank you.