Universal way to bypass Group Policy by Limited User.

The group policy is a powerful feature of the Windows OS. From Wiki: “Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users’ settings in an Active Directory environment”

For example, it can block users’ access to Regedit or IE proxy changing and presents additional limits for the users, besides file system and other permissions. One of the main parts of Group Policy is represented by Software Restriction Policy (SRP). Administrator can set a little list of software which can be run by limited user with SRP. Therefore, SRP can level up security of whole system by restricting user’s rights.

How does it work? When a user launches a process, it’s the parent process that checks SRP to see if the execution of the ‘child’ should be allowed or blocked. The parent process uses NtQueryValueKey to query the Registry value HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled, which if present and non-zero indicates that SRP is turned on.

How can we bypass it? There are a few different ways. Their main idea is that SRP check is situated in the user space. A parent process is owned by a limited user. Therefore, a user can bypass SRP by different memory manipulations.

Attack! Marc Russinovich posted a great tool – Gpdisable and a good explanation of SRP in his blog. Gpdisable is now unavailable, but it can be found on the Internet that Gpdisable uses dll-injection techniques to inject into a parent process memory. Then “it fools the SRP code by returning an error value”, when SRP tries to query TransparentEnabled. Therefore, a parent process can run any other process.

Problem. Gpdisable consists of 2 files – gpdisable.exe and gpdisable.dll. The fisrt one injects DLL into process. The second one is DLL for bypassing SRP. Still in real life, there is a problem with injecting gpdisable.dll. Because in a good restricted system a user has access only to run the software from the white list. It means that you have to run gpdisable.exe, but you don’t have rights to do it.

Real Attack! When I read about the binary planting, I got an idea how we could inject gpdisable.dll in the process. It’s simple – dll-hijacking. But almost all the big software (like MS Word, Excel and Notepad) don’t have such vulnerabilities. If we use “advanced” dll-hijacking (COM server-based binary planting), we can do it almost for all the software. You can get the idea of such binary planting from the Acros Security Blog.

Steps to bypass SRP for XP:

  • rename gpdisable.dll to deskpan.dll;
  • create a new folder and name it as files.{42071714-76d4-11d1-8b24-00a0c9068ff3};
  • place deskpan.dll to the new folder;
  • open the folder;
  • create a new rich text document in the folder;
  • double-click the rich-text document.
  • WordPad runs with gpdisable.dll
  • Bypassed. Now we can run any process.

There are similar steps for Windows Vista/7 and others. In addition, all that steps can be done from “Open” or “Save As” dialogue, that is useful for Citrix systems.

Thanks to Ryan Sears.

And thank you for your attention.

Do you want more?

Subscribe me to your mailing list