10 September 2015

Surprisingly simple steps to 'break out' of desktop systems

In the modern age where mobility and flexibility are expected, businesses and employees have a higher demand than ever for remote access to corporate systems.  This has led to an increased adoption of deploying applications via Terminal Services, Citrix and kiosk platforms.

These platforms allow the sharing of computing resources across multiple users, applications, and the ability to easily provide a scalable desktop solution across a company. These desktop interfaces can be easily managed and administered to ensure that user access can be carefully controlled to make sure that standard users do not have an excessive level of privilege.

Get this wrong however, and you may find users breaking out of your “secure” environment.

Breaking out!

What does it mean to break out? In essence what is meant by breaking out is the ability to break out of the platform enforced access controls and gain access to the OS beneath. This can be done in a range of different ways utilising different methods and is dependent on the restrictions put in place by GPO’s and available applications.

The result of a successful breakout is that an attacker then has a foothold on the network from which they can launch further attacks and potentially gain access to system resources, applications, and sensitive data.  None of which anyone ever wants in the hands of an attacker.

How to break out

So how can a user break out of the carefully implemented security controls?  It may be hard to believe but some of the most inconspicuous features within windows can help an attacker break out.

Common dialog boxes such as the ones on screen when you save or open files can allow access to the file system of the computer being used.  By using these dialog boxes along with common folder paths an attacker may be able to navigate to system files and create shortcuts that give an attacker access to administrative functionality.

It is also possible to use the “Help Menu” function provided by applications, or with windows shortcuts, to access various functionality offered by the OS.  While the “Help Menu” may seem innocent enough it is possible to exploit this access and launch a command prompt thereby giving direct access to the file system to the user.

Getting a shell on the system is the major aim of an attacker as this will allow them access to all the system calls available within the environment. It is possible to get a shell in many ways and there are different types of shells that can be used, such as powershell and cmd prompt etc.  While most of these are obvious techniques to gain a shell there are some more interesting techniques that are very unlikely to be considered when setting up lock-down policies.

A classic and unusual example of this would be the ability to gain a shell by creating a shortcut to the cmd executable via mspaint. Due to the encoding algorithm used to write BMP files it is possible to draw certain colours in paint and therefore dictate the ASCII data written into a file. Once a specific series of 6 colours are set in 6 pixels and saved as a 24-bit Bitmap file, an attacker can rename the .bmp file to a .bat and execute it. This will then launch a command prompt for the attacker to use.

How to stop the madness

It can be very hard to produce environments that have sufficient hardening to ensure that users cannot break out. The very concept of restricting user access to tools, resources and applications seems at odds with the benefits provided by a feature rich OS. However to ensure that existing users do not become insider threats it is important that these platforms are set up with security in mind, restricting users to the bare minimum functionality necessary to perform their duties.