Saturday, 28 April 2012

Windows AppCompat Research Notes - Part 1

These notes have be sitting around in a file for a while now. The reason we're publishing them is to both motivate ourselves and also to motivate others to continue documenting how AppCompat on Microsoft Windows works.

Overview
AppCompat is built into the Windows loader that provides a common infrastructure to patch the IAT (Import Address Table) of a process for shimming.  AppCompat at its core is made up of databases / DLLs that define which shims apply to which binaries.

Why do we care about AppCompat when we're security people? We'll there are several reasons. For example there is an AppCompat patch to use a 'Fault tolerant heap'. So even applications deployed on the latest and greatest Windows may not be able to use the default heap and revert to a less secure implementation due to 'compatibility reasons' (which is code for they corrupt their heap). Knowing this information allows us to better understand our exposure. 

We also see other applications for AppCompat to improve security using a Microsoft sanctioned patching mechanism. For example we think it would be great you could deploy via the AppCompat enterprise configuration VirtualAlloc replacements for all processes.

Prior Research / Database Structure
Alex Ionsecu looked into AppCompat and the database [1][2][3][4]. We're not going to repeat what he said so we encourage you to go and read that first. However his SDB tool from part 4 can be built using the Microsoft APIs

There is also interesting Chinese blog post from 2008 which details quite a bit about how stuff works (although via Google translate it's hard going).

Building Databases / Configuring Applications
If you want to see which fixes are available via a GUI and experiment Microsoft make a tool available called the Microsoft Application Compatibility Toolkit. This can be used to build new AppCompat databases and configurations. It can also be used to investigate the available fix if you don't want to implement a tool like Alex's.

Files related to AppCompat
The files on Windows 7 at least which appear to make up AppCompat are (note: does not document the loader aspects):

Core Engine
  • ShimEng.dll
Miscellaneous files
  • AMX\amxread.dll
  • APILog\apilogen.dll
General AppCompat
  • AppPatch\AcGenral.dll
  • AppPatch\AcLayers.dll
  • AppPatch\AcRes.dll
  • AppPatch\AcSpecfc.dll
  • AppPatch\acwow64.dll
  • AppPatch\AcXtrnal.dll
  • AppPatch\apihex86.dll
  • AppPatch\AppPatch64\AcGenral.dll
  • AppPatch\AppPatch64\AcLayers.dll
  • AppPatch\AppPatch64\acspecfc.dll
  • AppPatch\AppPatch64\AcXtrnal.dll
  • AppPatch\AppPatch64\apihex64.dll
  • AppPatch\en-US\AcRes.dll.mui
Application Verifier (yes it too uses the AppCompat infrastructure)
  • AppVer\vfbasics.dll
  • AppVer\vfcompat.dll
  • AppVer\vfLuaPriv.dll
  • AppVer\vfpodbc.dll
  • AppVer\vfprint.dll
  • AppVer\vfprintpthelper.dll
  • AppVer\vfwwdm32.dll
  • AppVer\vrfcore.dll

AppCompat DLL Structure
As Alex noted it appears Microsoft use a C++ class (its called ShimLib::) internally when implementing AppCompat DLLs. AppCompat is used by Microsoft technologies such as EMET and Application Verifier. For example see EMET.dll in C:\Program Files (x86)\EMET and you'll see it has the standard AppCompat exports:
  • GetHookAPIs(char *,ushort *,ulong *)
  • NotifyShims(char *, unsigned __int16 *, unsigned __int32 *)
During our research we found a single DLL, apihex86.dll, that doesn't use the Microsoft C++ class (ShimLib::) that the others do. As a result it's this binary that we're focusing our efforts on in order to understand the interface so we can look at writing out own shims (also its tiny compared to the others).

Looking at GetHookAPIs we see it sets up an array of structures with both the original API and the new API to be called in its place before passing the array back to the caller. In short quite simple...

AppCompat Machine Deployment
When AppCompat is used on a machine the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags is populated. For example on my machine where I have deployed EMET against a process (we've previously mentioned EMET uses AppCompat) we see a custom AppCompat (SDB) database installed:

Click for larger version
Then a mapping between these two databases and the EMET configured process:
Click for larger version


Conclusions
You know you're looking at something interesting when you Google 'shimlib appcompat' and get 0 results and 'appcompat gethookapi' gets you 8. Anyway that's it for now...

Friday, 27 April 2012

Recx EMET Configuration Builder


Update May 16, 2012: Since originally posting this article Microsoft have released EMET v3.0 which further facilitates enterprise deployment. We encourage you to go and read the technet article.


It's Friday, so it means it's time for another higher-level defensive post. To follow up on our previous post Microsoft EMET in The Enterprise we wrote a small EMET automatic configuration builder. It's designed to allow you to quickly produce an EMET configuration XML for a specific machine. This XML file can then be imported into the EMET GUI. This is to facilitate mass EMET opt-in for binaries in a host default build.

What the configuration builder does is:
  • Checks a file is a PE file
  • Checks it's not a DLL
  • Checks if it's managed or not
  • Checks if the SEH properties warrant SEHOP opt-in
It then produces a configuration line for each file as appropriate in the EMET XML schema.

Step 1: Run EMET Config Builder
Run the Recx EMET Configuration Builder as so (or similar):

EMETConfigBuild "c:\Program Files (x86)" c:\data\EMETConfig.xml 

Click for larger version

Step 2: Load EMET / Select Config Apps

Click for larger version
Step 3: Import XML 

Click for larger version

Note: When importing a large number of files it may say the EMET GUI has become unresponsive. It will complete, just give it time. Also the list of program files will NOT update. You'll need to click 'OK' and then go back into 'Config Apps' to see the list.

Step 4: Test, test and test again
Now ensure you fully test the applications before rolling out on a wider basis.

Getting Recx EMET Config Builder
We make no warranties implied or otherwise. By downloading and using Recx EMET Configuration Builder you agree to take all responsibility for any instabilities its use may introduce into your environment.



Wednesday, 18 April 2012

Finding the weak link in Windows binaries - Source Boston 2012 slides

We've just completed our Source Boston presentation. We're happy to release the slides below.


The video has also been posted which can be found here:



Enjoy!

Friday, 13 April 2012

Microsoft EMET in The Enterprise

Update May 16, 2012: Since originally posting this article Microsoft have released EMET v3.0 which further facilitates enterprise deployment. We encourage you to go and read the technet article.

It's Friday, so it's time to take a step back from the low-level and have another post on the practical steps organisations can take at little cost. Before we begin it's probably useful to outline some of the realities of business when it come to desktop and server security. These realities should come as no revelation:
  • Organisations can't always jump to the latest version of Windows for many years (if ever).
  • Organisations can't always jump to the latest version of software due to compatibility reasons.
  • Not all software vendors jump to the latest compilers and enable all the security features.
  • Not all software vendors have, follow or have heard of a Secure Development Life-cycle
As a result organisations need to contend with:
  • Software with known vulnerabilities that they can't upgrade from.
  • Software with unknown vulnerabilities that they can't upgrade from.
  • Software without mitigations against memory corruption vulnerabilities that fall under either of the previous two points.
  • Ageing versions of Windows that don't have the latest defensive mechanisms available.

To help organisations address some of the security skeletons on Windows Microsoft provides the Enhanced Mitigation Experience Toolkit (EMET). While EMET isn't a panacea or without small print it can provide excellent return on investment if you're trying to secure an ageing software infrastructure or have operational delays in patch deployment. When it comes to  how to do deployments of EMET in the enterprise Microsoft's (KB article) answer is:
"With the current version, the easiest way to deploy across an enterprise is by using the command prompt utility. To do this, follow these steps:
Install the MSI on each of the target computers. Or, put a copy of all the installed files on a network share. 
Run the command prompt utility on each of the target computers to configure EMET.
Note You can use many different techniques to do this, including using the System Center Configuration Manager. If you put EMET on a share, make sure that you run the command prompt utility from that share. When it runs, it will copy over the necessary files to the Windows directory, and it will make any needed registry changes.
We realize that this technique is not convenient for many enterprises. For the next version, we are working on making it easier to deploy and manage EMET in an enterprise environment"
We thought it would be useful to summarise some additional advice we've devised and information we've come across around EMET in enterprise. These points / areas are designed to further ease configuration, testing and deployment of EMET without creating mayhem.

EMET Development, Testing and Deployment Plan
When deploying EMET in your organisation we recommend a high-level plan similar to the below be used:
  • Development: EMET Configuration Development 
    • Deploy standard organisation desktop and server builds
    • Identify applications that need protection:
    • Identify the executable files that comprise the application
    • Configure EMET for identified executable files
  • Testing: Compatibility
    • Run standard common business function testing on all newly protected applications
  • Deployment: Phase 1
    • Deploy to 1% of user base having good representation from all departments
    • Monitor for increase in support calls related to unexpected application crashes
  • Deployment: Phase 2
    • Deploy to an additional 5% of user based having continued representation from all departments
    • Continue to monitor support calls
  • Deployment: Phase 3
    • Deploy to an additional 19% of user base, continue to monitor
  • Deployment: Phase 4
    • Deploy to remaining user base in 25% chunks with a month or so in-between
  • Maintenance
    • Continue to monitor standard builds and threat space for new applications that may be deemed appropriate for protection

Recx EMET Configuration Builder
Developed by Recx, it scans a directory and produces an EMET configuration files for all discovered binaries.

Nemet
Developed by David Delaune, it is an extremely useful third-party EMET GUI for configuring, testing and redeploying EMET configurations. David was working with an embedded use-case and as a result removed the .NET dependency that the original EMET GUI has. He has also provided some enhanced features over the standard EMET GUI such as being able to supply additional heap address pre-allocations.

Developed by Tom Webb, he provides in this blog post:
  • An EMET configuration file protecting the following applications (mixture of 32bit and 64bit):
    • Adobe Acrobat Reader 9.0
    • Adobe Acrobat  Reader 10.0
    • Oracle (Sun) Java Run-time 6
    • Mozilla Firefox
    • Microsoft Internet Explorer
    • Microsoft Office 2007
    • Microsoft Office 2010
    • Microsoft Media Player
    • Apple iTunes
    • Apple QuickTime
    • VMWare Tools
  • VBS based deployment script that protects Google Chrome:
    • As Google Chrome is installed under each users home directory

The EMET Community
There is an excellent thread on the Microsoft communities about EMET which covers:

  • How to silent install EMET from the .MSI
    • msiexec.exe /i "EMETSetup.msi" /qn /norestart
  • A batch file protecting the following applications  (mixture of 32bit and 64bit):
    • Oracle (Sun) Java Run-time 6
    • Microsoft Office 2003
    • Microsoft Office 2007
    • Microsoft Office 2010
    • Microsoft Internet Explorer
    • Microsoft Media Player
    • Apple QuickTime
    • Winzip
    • Adobe Acrobat Reader 8.0
    • Adobe Acrobat Reader 9.0
    • Adobe Acrobat Reader 10.0
    • IBM Lotus Notes
    • Apple iTunes
    • Opera
    • Mozilla Firefox
There is also:


Vendor and System Integrator Call to Action
So vendors and system integrators what can you do? There are several things, yes they'll cost you some time and money but they'll also go along way in both presenting your organisation as both security aware while also helping your users maintain a level of security.
  • Vendors negotiate with Microsoft to re-distribute EMET as part of your installers
  • Test your applications for EMET compatibility and document externally 
  • If you can't recompile / use the latest tool chain ship EMET configurations for compatible components
  • For all end of life products ship and document one final 'EMET sunset patch' to provide those organisations stuck on these versions with a level of tested protection.

Anyway, we hope you've found this post useful. We've been contemplating an EMET Compatability Database to correlate peoples testing and compatibility experience of different products. We think this is especially important for big enterprise solutions such as older version of Microsoft Exchange, Microsoft SQL Server, Microsoft IIS, Oracle and SAP etc. If you think this initiative would be worthwhile either leave us a comment below or ping us on twitter @RecxLtd.

Technical Bonus Material
O.K. you've read this far down. Time for a little technical bonus material.
  • Fermin's Microsoft slides on EMET
  • Uses AppCompat, deploys its SDB by updating  the registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
  • Registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET
    • Contains interestingly named 'EnableUnsafeSettings'  but is not used by the injected DLL
  • AppCompat Injected Libraries
    • C:\Windows\AppPatch\EMET.dll gets injected for 32bit
    • C:\Windows\AppPatch\AppPatch64\EMET64.dll gets injected for 64bit
  • Processes using EMET have an environment variable set
  • Processes using EMET create an event:
    • \BaseNamedObjects\EMET_PID_[PID]
  • Injected DLL uses RtlRandom instead of RtlRandomEx for randomisation (no great shakes).

Wednesday, 11 April 2012

Recx SDL Binary Assurance, BinScope and LookingGlass

So we've had a few questions around what Recx SDL Binary Assurance does compared to Microsoft's BinScope (video) and Errata Security's LookingGlass. Hopefully the tables below will explain the differences in terms of what they identify.

SDL Checks
The following specific SDL checks are performed on the binaries.
Check
Recx SDL Binary Assurance
Microsoft BinScope
Errata Security LookingGlass
Purpose / Comments
/GS (Stack Cookies)
Yes – without symbols
Yes – with symbols
No
Checks for the presence of stack cookie usage in the binary.

Recx uses heuristics.

Microsoft uses symbols. Microsoft is able to detect partial application of stack cookies as a result.
Yes
Yes
Yes
Checks that binary opts into ASLR
/NXCompat (DEP)
Yes
Yes
Yes
Checks that binary opts into DEP
Yes
Yes
No
Checks that 32bit binaries use SafeSEH
Compiler version
Yes – without symbols
Yes – with symbols
No
Recx uses the Rich header.

Microsoft uses symbols.
Yes
No
No
Checks if the binary requests UAC UI access
Yes
No
No
Checks the UAC privilege level the binary requests to run as
Yes
No
No
Checks for usage of this function. Indicates SDL awareness if used and provides further defences.
Yes
No
No
Checks for usage of this function. Indicates SDL awareness if used and provides further defences.
Yes
No
No
Checks for usage of this function. Indicates SDL awareness if used and provides further defences.
Yes
No
No
Checks for usage of this function. Risk of undermining ASLR if used.
Process Heap Executable
Yes
No
No
Checks the default process heap is not executable
Insecure Section
Yes
Yes
No
Checks if any section of the binary is shared and writeable
Yes
No
No
Checks if the binary uses force integrity
LoadLibrary / DLL Planting Mitigations
Yes
No
No
Checks if the binary uses load library and if it does if it uses DLL planting mitigations
Yes
No
No
Indicates if delay loaded imports are used due to potential increased susceptibility to DLL planting.
Yes
No
No
Checks if the binary is susceptible to MS12-001
Yes
Yes - via Windows 8 SDK
No
Checks if the binary runs in a Windows 8 App Container
.NET Fully Managed
Yes
No
No
Checks if the .NET binary is fully managed. Non fully managed binaries may be susceptible to memory corruption.
.NET Skip Validation
Yes
No
No
Checks if the .NET binary is indicates to skip strong name validation
Yes
Yes
No
Checks if the .NET binary uses strong name checks
Yes
Yes
No
Checks if the .NET binary allows partially trusted callers
Banned SDL API Usage
Yes
No
Yes
Checks if the binary uses banned or unsafe APIs
ATL Header Version Check
No
Yes – with symbols
No
Checks if the COM binary uses known bad versions of ATL header

Source: BinScope docs
No
Yes – with symbols
No
Checks if the COM binary uses ‘IPersistStreamInit that have potentially vulnerable property map entries

Source: BinScope docs
No
Yes – with symbols
No
Checks if the binary initialises the GS cookies in a safe manner.

Source: BinScope docs
No
Yes – with symbols
No
Checks to see if stack ordering was not performed due to optimisations being disabled.

For details on when /GS wont be applied see MSDN.

Source: BinScope documentation
No
Yes – with symbols
No
Check if a function was declared __declspec( safebuffers ).

Source: BinScope
Global Function Pointers
No
Yes – with symbols
No
Checks if global function pointers are used. If static buffers and global function pointers are present stack cookie protection wont be applied.

Source: BinScope documentation


Informational Fields
The following information fields are also provided (a subset):
Information
Purpose / Comments
Platform
Platform the binary targets
32bit or 64bit
If the binary is 32bit or 64bit
Company
Company name from the file properties
Signer
Who signed the binary
Signature type
Type of signature and strength
MD5
MD5 of binary
SHA1
SHA1 of binary
Manifest
Manifest of binary
Import table
List of imported functions


Another Thanks
We like thanking people! We only found out last night that Ivan Medvedev of Microsoft is the brains behind the DLL we use for PE parsing (he also writes BinScope!). We'd like to thank Ivan for his excellent work as it cut down our development effort significantly.