Hi @ll,

Windows 8 and newer versions (Windows 7 and Windows Server 2008 R2
with KB2532445 or KB3125574 installed too) don't allow unprivileged
callers to circumvent AppLocker and SAFER rules via

LoadLibraryEx(TEXT("<arbitrary DLL>"), NULL, LOAD_IGNORE_CODE_AUTHZ_LEVEL);

See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and <https://support.microsoft.com/kb/2532445>

| LOAD_IGNORE_CODE_AUTHZ_LEVEL        0x00000010
|
| If this value is used, the system does not check AppLocker rules
| or apply Software Restriction Policies for the DLL. This action
| applies only to the DLL being loaded and not to its dependencies.
| This value is recommended for use in setup programs that must
| run extracted DLLs during installation.
|
| Windows Server 2008 R2 and Windows 7:
| On systems with KB2532445 installed, the caller must be running
| as "LocalSystem" or "TrustedInstaller"; otherwise the system
| ignores this flag.


Unprivileged users can but bypass AppLocker or SAFER alias Software
Restriction Policies via

STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi = {0};
CreateProcess(TEXT("<arbitrary exe>"), NULL, NULL, NULL, FALSE,
              CREATE_PRESERVE_CODE_AUTHZ_LEVEL, NULL, NULL, &si, &pi);

on ALL versions from Windows XP to Windows 10!

See <https://msdn.microsoft.com/en-us/library/ms684863.aspx>

| CREATE_PRESERVE_CODE_AUTHZ_LEVEL    0x02000000
|
| Allows the caller to execute a child process that bypasses the
| process restrictions that would normally be applied automatically
| to the process.


Mitigation:
~~~~~~~~~~~

Create an "AppCert.Dll" that exports CreateProcessNotify and
set the following registry entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppCert.Dll"="<path>\AppCert.Dll"
...

Note: AppCertDlls are loaded at the first call of one of the
      CreateProcess*() functions. Process creation is denied
      if one of them returns STATUS_UNSUCCESSFUL from its
      CreateProcessNotify() routine when called with the flag
      PROCESS_CREATION_QUERY.

--- APPCERT.C ---
#pragma comment(linker, "/DLL")
#ifdef _WIN64
#pragma comment(linker, "/EXPORT:CreateProcessNotify,PRIVATE")
#else
#pragma comment(linker, "/EXPORT:CreateProcessNotify=_CreateProcessNotify@8,PRIVATE")
#endif
#pragma comment(linker, "/NOENTRY")

#include <windows.h>

#define PROCESS_CREATION_QUERY   1L
#define PROCESS_CREATION_ALLOWED 2L
#define PROCESS_CREATION_DENIED  3L

NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, ULONG ulReason)
{
    NTSTATUS ntStatus = STATUS_SUCCESS;

    switch (ulReason)
    {
    case PROCESS_CREATION_QUERY:
        // called once for each process that is to be created
        // return STATUS_SUCCESS to allow process creation or
        // return STATUS_UNSUCCESSFUL to deny process creation

        if (forbidden(lpApplicationName))
            ntStatus = STATUS_UNSUCCESSFUL;

        break;

    case PROCESS_CREATION_ALLOWED:
        // called once for each process that is allowed creation

        ...

        break;

    case PROCESS_CREATION_DENIED:
        // called once for each process that is denied creation

        ...

        break;

    default:
        ;
    }

    // the return value is only used for PROCESS_CREATION_QUERY,
    // all other conditions are ignored

    return ntStatus;
}
--- EOF ---


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-03-10    sent vulnerability report to vendor

2017-03-10    reply from vendor: MSRC case 37727 opened

2017-03-13    reply from vendor: product team is working on case

2017-03-21    reply from vendor:
              "The product team has finished their investigation and
               determined this will be serviced in a future version
               of Windows. AppLocker bypasses are not serviced via
               monthly security roll-ups; only major version updates."

2017-03-21    <https://support.microsoft.com/kb/2532445> but serviced
              a bypass with a hotfix which was incorporated in later
              security updates and is included in the "convenience"
              rollup <https://support.microsoft.com/en-us/kb/3125574>

2017-03-21    reply from vendor:
              "If you want this fixed immediately and are an
               enterprise customer you'll need to work with your
               Account Manager to open a support case."

2017-03-21    report published