 Hello and welcome to my talk today. My name is René Franck-Ruba and today I'm going to tell you something about application wide-listing. Let's have a look at the agenda for this talk. First of all, I will introduce my company, second side to you, so don't worry, it's just one slide. After that, we start with the real topic, so what is application wide-listing? Where is that concept used? How can you implement it? And what problems do you face if you try to implement it? I also have here a very interesting, very funny, introduction video from Mac-A-Fee application control, which is one software which implements application wide-listing. This is the main product which I will use to demonstrate all my bypass techniques. You will see why I find this video very funny, because there are some very interesting statements inside this video. Then I will introduce Mac-A-Fee application control to you, so I'll show you how you can use that kind of software, which additional features are there, why they are there, and what you can do with these features. Then we come to the real funny part, so how can we bypass application wide-listing? So we'll show you some general techniques which attack the concept of application wide-listing, which work against all kinds of products. So it's also working against AppLocker or some other product for application wide-listing. Then we have some product-related findings like how we can bypass read or write protection or kernel-land vulnerabilities, and at the end I'll show you some demonstrations so that the stuff is really working, it's not theoretical. We really apply these techniques in our social engineering attacks, and the conclusion is mainly about the response of the vendor, so how did they react, what was fixed, what was not fixed, and of course how you can fix the stuff yourself. We have here one slide about our company, so for everyone who doesn't know us, we are located in Vienna, in Austria, our headquarters there, but we have officers all around the world, also in Montreal we have one office, and I think the most important thing for you is we are also hiring, so if you're searching for a new cool job, just come to us. And with a team of over 6 security experts, so really technical persons, we make over 350 security audits per year. So application wide-listing, I have here a short video, this works. McAfee application control, security through white-listing. Systems worldwide have been plagued by these threats in the past, all of which were unknown threats until the first time they struck. Application control is the solution which can give you 100% coverage on day zero, and stop these advanced threats. Application control provides total endpoint security through white-listing. The white-list is a powerful tool. It's created by scanning the entire system during install time, and cataloging all applications, libraries, drivers, and scripts. When a program tries to run, the system checks the white-list for its presence and then permits it. However, when a new unknown binary tries to run, it's blocked because it's not on the white-list. This way, all unknown dangerous threats can be stopped. The white-list will grow dynamically when systems are updated through trusted channels. Application control supports four different trust channels. Trusted updateers are provisioning slash patching tools like SCCM and BigFix. Trusted certificates could be used to self-sign internal trusted apps. Trusted directories can be used to trust remote network file shares or repositories of trusted apps. IT admins could be configured as trusted admins so all their changes are permitted. These four mechanisms make this solution scalable to the largest of enterprises. Memory protection is the second layer of defense complementing white-listing and makes white-listed programs exploit-proof. Programs such as Adobe Reader and Internet Explorer can be used safely in spite of having vulnerabilities. A hacker would never be able to exploit those vulnerabilities to circumvent and evade white-listing. Okay, we will later see how strong their mitigations are. I think there are some very funny statements in it like 100% zero-day protections and so on. To recap, what is application white-listing? Basically, set up a system. For example, if a web server, you install all applications which you need like database server, web-based server, and so on. After that, you install the application white-listing which means you create the database of all installed files, so all execute tables, all libraries, all scripts, and so on. You put this into this white-list. After that, if you start an application, it just checks, is this one in the white-list? If yes, you can execute it. If not, you cannot execute it. So if you go to a website and the web sub-drops are malware, the malware will not be executed because it's not in the white-list. So this is the main idea behind it. And we often see this kind of application of this application white-listing in critical infrastructures. So for example, in SCADA environments, I come across this stuff here because we had a project from the Austria government, because we are, in the next years, we want to use smart meters at every home. The smart meters connect to the power grid network, and the servers there are protected with application white-listing. So our job was to test the smart meters and also the application white-listing and the server. But we often also see that kind of stuff at, for example, high-risk security systems like administrative workstations, or for example, the technical university in Vienna is also using that kind of stuff for the workstations for the students so that the students cannot start games or something like that. And we have here many different solutions. I have chosen, in this case, make a free application control, first of all, because of this video, second, because it has some other features which are also very interesting to discuss. So I only covered the Windows version, because I only received a Windows license. 6.1 was the current version at that time, mainly focused on client operating systems, but it's also working on the service systems the same way. In this case, I have also included Windows XP, because in such critical infrastructure systems, you often see Windows XP systems even if it is not supported anymore. So you should not use Windows XP anymore, but because it is very often used there, I have also included it here in my research. But just don't use Windows XP anymore. If you want to work with this application, use work on the command line, so there's no graphical user interface. And what you're doing is you just call the S-admin program and then give the command which you want to execute. So for example, disable or enable, or you can say solidify, which is the first command. So if you have set up your system, you just say S-admin solidify, then it just iterates over all files on your system and puts them in the white list. So in this case, you see here 2,500 files are now in our white list. After that, we just have to say S-admin enable and then we have to reboot the system and then the protection is enabled. So for example, I've downloaded a debugger in this case and tried to start it and it just says access is denied. The same is true if I create a script file, in this case, tested, but it just says access is denied, you cannot execute that kind of stuff. And we also have some other kinds of protections like write protection. This is in this case mandatory because they white list the path to the execute table, so they're not generating a hash, they're white listing the path and then they say you cannot overwrite the white listed files. And we also have some kind of read protection, this is only applied to some special files like the password hash file and so on. And we also have memory corruption protections, but I will talk about them a little bit later. Here are some other sites from them. It just basically says the same again, you cannot exploit buffer flows and so on and so on. Another important concept are updaters because one of the biggest problems with application white listing is how do you deal with updates? So for example, let's say you white list the hash of the file and then for example Adobe reader is updating itself so it replaces the libraries. So the new libraries are not in the white list and cannot be executed. And to deal with this problem MacAfee application control uses the concept of updaters, that means these updaters which are configured by default can bypass their protection so they can bypass the write protection. They can overwrite write protected files. And you see here it's mainly MacAfee products, but we also have here something from Adobe or the Java update process or Mozilla and so on, but it's mainly MacAfee products so that their own stuff is working. Here drawn a picture, so basically of the different components, if you're the user, you're just sitting in front of the computer and interacting with the SAP application, typing there the commands. We also have here a service which is running with system privileges so the service for example is responsible to generate the white list, all the kind of stuff which is more simple to do in the user space. And these two interact with inter-process communication via named pipes, so as admin is just the front end and just passing the commands with the password to the service, the service implements all the kind of things to do. Then we have a kernel driver which enforces the protectors like write protection and the application like listing. And there speaking we are inter-processed via IOCTL codes together. Yeah, so the first idea, if we cannot execute our own applications and we want to attack this, what do we do? We just start to abuse stuff which is already there, which is white listed on all systems. So for this we have three different categories. First of all we can use something which is there from the Windows operating system. So for example stuff which is on every Windows Vista system, on every Windows 10 system and so on. The second category is something which is there by MacGP application control itself. So everything which is installed by them, because if you want to bypass it we know the kind of applications are there. The third category are some common third-party libraries like office, net framework, Java and so on, which is very frequently used. And I basically found applications in all of these three categories which you can abuse. And I think the very, very first thing which comes into your mind if you're a penetration tester is PowerShell because it's just there since Windows Vista. So if you attack a new operating system it will be just there and it is white listed but default. And PowerShell can be used to invoke shell code so you can interact with the Windows API so you can basically do everything which you like. So in this case what I'm doing I'm just say start PowerShell and then I'm giving you the complete script inside so it's encoded and give you the base64 encoded script and it will just be executed. So for example I can also pass PS1 files but PS1 files are not enabled by default and they're also protected by white listing so in this case I just have to pass everything in the arguments. And what kind of script do we want to execute so we can just have a look at PowerSploit which is a collection of very cool scripts for PowerShell and we see here something like a reflected PLL injection we can invoke shell code we can even start mini-cards stuff like that so we can basically do everything which we like. And you see here at this step we already have bypassed application white listing because we can just say start PowerShell allocate space and just load the PE file into the space then make the relocation and imports and so on and then you can just execute the application inside the PowerShell process so we can basically already bypass application white listing. Here's another example of the script which I was using this is from the social engineering toolkit it just basically shows you how to import the different functions like virtualElloc or crates red then you could just copy with memset your shell code to the location and then just execute it. So with recap if we somehow manage to start PowerShell we can bypass application white listing because we can start any application library which we like but the big question is now how do we start PowerShell because we cannot put it into a bot file because bot files are also protected and to solve this my solution was to divide this overall goal of bypassing application white listing in several smaller steps so I think this is always a good idea also if you are exploit developing just divide everything into smaller steps and solve everything on its own and the first step for me is to get something which I call basic code execution so I want to start some kind of scripts and with the script I'm then starting in the second step is local applications and forces local applications to execute the code which I like so an example for the second stage is then PowerShell so first step is get something which I like JavaScript code execution with JavaScript I then start PowerShell and PowerShell can then start my own shell code so I'm now running machine code the third step is optional so I can disable application white listing because during audits it's just more simple if application white listing is then disabled but you don't really need this step you can just make step one, step two again and again and you also need often administrative privileges for this third step I will now show you different techniques to get these different kinds of steps so basic code execution the very very first simple ideas are if I'm just sitting in front of the system I can just type their PowerShell so if I'm attacking Kiosk systems or social engineering audits so I have physical access to this machine I can just type PowerShell I can use the same idea with malicious USB sticks for social engineering attacks so for example for everyone who doesn't know this this is Rappadaki this USB stick which is in reality a keyboard so as soon as you plug it into your computer it says I'm a keyboard and then starts to type the stuff which you can have configured and I can configure here to type PowerShell with the payload but the very very typical attack social engineering attack is that I send my victim a file he clicks on that file and then he's just infected and I wanted that this also works here but the problem is that they really check very many many many different kinds of extensions like X files MSI files and so on but what they're doing here is they're using a kind of blacklist approach and every time you use a blacklist approach you just forgot something in this case they have for example just forgotten HDR files so who of you knows HDR files these are html applications so it's a typical html file but you can just use here vbscript and with vbscript you can just get the com object for vscript and then you can with this you can execute local applications so in this case I'm just starting calculator but we can also start for example PowerShell and or some other kind of application the same is true for JavaScript files so I'm just sending a JavaScript file if you click on it in the local context I can again start any application which I like another idea is that I'm using file shortcuts this maybe sounds a little bit ridiculous but let's say I have compromised your internet then you have a share on your internet and I just place a file shortcut there your administrative workstations are protected with application white listing and if someone clicks on this shortcut is just infected because the shortcut is pointing to for example PowerShell again I have especially included this one here because later I will show you how I can harden the system for example against the HDR or GS files but you cannot harden it against this file shortcuts so this was the main reason why I've included it here but we can build on this idea so it would look like this but we can build on this idea for example as help files this is a very old attack vector you see the help file here and inside this help file I've included a button the button is linking to a shortcut the shortcut points to the PowerShell and then I just say in JavaScript automatically click on this button so that means as soon as you open my help file you again start PowerShell and get code execution and of course there are many many more such extensions like here encoded JavaScript files and many many more so you always will find some kind of extension which you can abuse this way a gadget is not so good because here we'll get you some some ugly warning but yeah there are many many more my idea was to look at the most common attack vectors which I'm using to compromise the system and if application whitelisting will protect against this so the first one was it's only social engineering another idea is that you're attacking a web application and that means if you find some web application vulnerabilities like if you can upload a shell or have local command execution stuff like that you can basically apply the same technique again just start PowerShell with this another attack vector is past the hash attacks who here knows what a past the hash attack is okay it's a little bit older attack vector but it's a very good demonstration how simple it is to bypass application whitelisting and that was the reason why I've included it here so for everyone who does not know if you have two servers and both servers have configured for example the same password for the local administrator and you compromise one of these systems you can dump the hash of this administrator and use this hash to authenticate on the next system so you don't have to know the clear text password it's enough if you know the hash to authenticate on the next system this is called past the hash attack and you typically then just go to old systems until you find the token or the clear text password in memory of one of the domain administrators then you can attack the domain controller and you have compromised the complete domain and you see here how this works so for example if I have a shell on one system I can dump here the password hash and then I use this same hash to authenticate on the next system and then I just get a shell on the next system and the problem is if you have application whitelisting enabled on the target system this is not working and to find out why this is not working you just have to look at the source code so for example in Metasploit this is the main file to implement this kind of attack and you would end up calling this code here this command here so the next slide it's a little bit more better to read so for example if I want to execute the who am I command on the target machine I would end up calling this command so what I'm saying is start cmd with a command then it says echo who am I pipe to random name so this thing here into temp.bat and then start cmd again cmd start cmd again and then start temp.bat so basically start temp.bat in which we stored who am I pipe to random name so our command and pipe this thing to some random name that we can read the output it's just so complex because they wanted to buy us some kind of antivirus product with this approach here to start cmd which starts cmd and so on but you see here the problem is temp.bat would not be in the white list that means the tag is prevented because you cannot start temp.bat and it's really trivial to change this code you just say cmd exit directly starts your command and then you don't have to drop a local file and then it also works against the application white listing so it's a very good example because you just have to modify one line of code and it's working again so application white listing will protect you from mass attacks so most attacks are really protected but if it's a target attack you just have to really modify very little things to make it work again next step is to get full code executioner so in all examples I just use PowerShell so an administrator can just say I just remove PowerShell from my white list and then I'm safe and the problem is that there are many many more such applications which can be abused the same way so for example if you have a script interpreter like Python or Perl they're basically the same as PowerShell because you can just start anything which you like by passing the arguments to them or the same is true for debuggers so if a debugger is on a white list the debugger can write to the process space of a white list application so it can be used to inject your shell code and there are many many more so for example some other very common attack vectors or Java applets so what we are doing during social engineering projects is that we make a fake domain which sounds like the real domain then we're sending emails for example to our employees and say you can calculate your xmas bonus on the internet website the internet website points to our domain and then we have there the Java applet which says here you can execute calculate your xmas bonus so this was always working very good guys were always clicking on it and the typical Java dropper looks like this you have just a malware and the resources then you write the malware to the temp directory and then it just started and here again this attack is prevented because the malware is not in the white list but you can trivially modify it you can just say start PowerShell instead and then it's working again but in this case we wanted to do it without PowerShell so what you can also do is you can directly inject your shellcode into the Java process you can do this with the unsafe attribute unfortunately I don't have enough time today to talk about this but you can just have a look at this talk here you can find it on YouTube where the guy is explaining how the stuff is working and the same also applies to office macros so the basic attacks are really prevented so for example we had a customer who had applocker installed and they had a twice dropper and the twice dropper was really prevented because it's dropping a file but you can really modify it for example with this script here shellcode to visa basic script and then you can execute everything in memory in the process of in the office process and then it's working again and of course we have here some other attacks from other researchers so for example he was mainly targeting .NET framework which is there since Windows 7 that means all these applications here are whitelisted by default and what you can say is start install util and install util will load your attack.exe file into its own process space and execute it there so even if attack.exe is not in the whitelist it can be executed because it's running inside the install util process and this is also a very good tactic to bypass for example endpoint protection systems enterprise solutions and so on because they will all just scan install util and not scan attack.exe and basically the others are the same and if you really target a system environment which is really hardened and every application from here is just removed from the whitelist you always have the possibility to exploit some local applications so because I just start the whitelisted application and then I'm abusing some memory corruption exploitations like buffer flow for mart string or use of the free bug type confusion bug and so on so I can inject my own code into this process so we have few different two different possibilities the first one is getting basic code executioner like I'm exploiting a dope reader or a chrome or something like that so I think you already know this but in this special case we have a second possibility which means if we can already execute HDR files or something like that so we can start local application we can target local applications which has some advantages so first of all local applications if you find a buffer flow in it they are very seldomly fixed because attacker typically has no advantage by exploiting this application because you don't have a privilege escalation there so you will find many many such local buffer flows it's very trivial to find something like that and of course we can also brute force there install gyms and so on and the question is now what kind of application local application we want to exploit so we have two different possibilities first of all we can attack something from the operating system or we can attack something which is there from MacGyffie application control the problem with the stuff from the operating system is that the guys who develop operating systems really know what they're doing at least the most time so they know address based organization, data execution prevention all that kind of protections so it really becomes very hard to exploit such an application and another problem is if I for example for example on Windows 7 other applications are stored then on Windows XP then on Windows 10 then on some server variations so that means I have to write one exploit for XP one for Windows 7 one for English version one for German version one for suspect one suspect two and so on which means it's really hard and the good thing if I'm attacking something from a MacGyffie application control is that I will have the same binary on all systems and of course it maybe just forgot some of the protections to enable in this special case we have a third option because what MacGyffie is doing is they have this concept of trusted certificates so everything signed by one of these certificates here by this default list of certificates can just be executed on your system so it's basically a backdoor for them so that their own applications can run on application wire listing enabled systems so what we can do is we can just search for any application here signed by MacGyffie with a vulnerability in it if you have this vulnerability we can drop it on your system because it's then white listed and we can just abuse it to get code execution so what I was doing then was I just checked the program folder from MacGyffie application control then I found here the zip application this one is from 1999 that means there are no security protections at all and yeah you can make a google search you will soon find here this execute code overflow with a score of 10 which sounds very looks very good but there are no more public information so they're not saying it's there the vulnerability or it's a buffer or something like that but we had the source code available so you see here the source code maybe I give you here a short minute to have a look at this code just a quick hint it's somewhere inside this box here it's below here the vulnerability when I was doing this kind of research I had access to a very expensive source code and static source code analysis tool because we had some training system and I thought okay I just run this tool against this source code here and see what this tool is reporting to me and it reported me about 200 different buffer flows but the problem was the problem was that everything was a false positive because the guy was always saying first allocate enough space and then making a string copy of exactly this space so it was really no buffer flow there but just one buffer flow and exactly this buffer flow was not found by this tool and I don't really know why it was not found because it's really trivial so you see here this is the buffer flow here AirBuff has a fixed size and we're just concatenating a space to it and then the arguments and the arguments are user controlled so you can just give as much as you like there and you can basically overflow the AirBuff variable and I really don't know why this was not found by this tool we also gave it to the trainers and so to the developers and they were also wondering why this is not found but yeah kind of strange yeah so if you just pass many many As the application just crashes then we can have a look at in WinDebug or some other kind of debugger you see here it's exploitable you can also have a look we have control over this register here you can then further analyze it down we can control the arguments to these two codes here and it's basically overflow in the PSS section and we don't have no security features at all enabled because it's compiled 1999 so yeah but there are some memory corruption protections so we should not be able to to exploit it so here are some again some sites from them MP stands for memory protection this year on Windows XP memory protections are enabled then we have something which they call Cusp and something which they call Vassar Vassar is disabled on Windows XP but on Windows 7 everything is enabled then we have something which is called force relocation and on Windows 8.1 everything disappeared so there are no memory protections on 8.1 so my idea then was to just start some exploits which I developed look why it's not working and then work to find out why it's not working and then work on it until it is working again so I was just starting here a Firefox exploit which I wrote you see here I'm using Windows 7 because in Windows 7 we have all protections if everything is enabled I'm not just starting Firefox this is now my exploit if I hit the go button the exploit starts to run and in this case it just worked without any modification so okay so my next step was what to test else so my idea was okay this was an integer overflow and they just say they protect against buffer overflows so the next step was to test the stack-based buffer flow so file-c player I think I just skipped this demo because it's just working again so no modification everything was working I tested it with think 20 other applications and everything was just working and I was wondering what the fuck is ongoing yeah so the next step was to use a debugger to look at the stuff what is ongoing there so basically what they're doing is they're injecting this library as see inject DLL into all applications protected by them and then you end up getting many many different kinds of exceptions in the debugger if it's protected and it's always around this address here so the next step was to find out what is stored at this address so if Mac if your application control is not there you find there the PE header of kernel 32 and this PE header is typically readable and what they're doing is they just remove the readability so it's not readable anymore that means as soon as someone tries to read this PE header you get an exception and then their own exception handler can kick in and add additional protections they're doing this kind of stuff because shellcode typically reads this PE header and as soon as it read it you get the exception then the code can kick in and can check if shellcode is currently executed or not and what they're doing is they just check is the current instruction the triggering instruction belonging to an execute able page so what they're doing is they just implemented the data execution preventioner which is there from the operating system their hardware in software so it's only really useful and very very old hardware and this is also the reason why my stuff is working because my exploits are just developed to work on the most recent operating systems that means I already have to bypass data execution prevention that means I bypass their protection as well at the same time because my code is marked as executable another interesting thing is that they allocate in every protected applicationer and section here which is writable and executable which is which is just stupid because it just breaks the idea of data execution prevention so what you don't want is a section which is writable and executable because an attacker can then just write his own shellcode to this location and directly execute it so the idea of data execution prevention is that you don't have such a section and by implementing this kind of protection they just break it the one from the operating system which is kind of strange yeah I have then included here some shellcode which can be used to bypass their protection yeah and so basically CASP is the same as the data execution prevention from the operating system VASR is the same as the protection address base layer organization from the operating system and force relocation is the same as force ASLR so it's there basically have the same protections as the operating system just for some old hardware that is also working there the next thing is user account control so all techniques which are presented to you are working as normal user but now the following techniques for example how you can disable application wide listing requires you to be to be administrator and for that you have to bypass user account control if the target user is an administrator I think everyone of you knows this user account control it was introduced with Windows Vista these little boxes that means if you log in as an administrator you now receive two different tokens one token as normal user one token with full admin privileges if you want to use this full admin token you have to click here on yes and I unfortunately don't have enough time today to talk about all details here but there are many many different public techniques how you can bypass user account control in the default configuration and this mainly works by injecting code into so-called auto-elevated execute tables so the problem with Windows Vista was that you got very very many such dialogues and with Windows 7 they introduced auto-elevated processes which means Windows science stuff don't has to show you this dialogue so for example if you open notepad and go this notepad file open and go to system32 you can create their stuff without triggering this dialogue here and this is done with the auto-elevated applications in reality it's a little bit more complex but I don't have enough time today and these main techniques here work by injecting code into one of these auto-elevated processes by dropping a delay there that means if you start for example sysprep which is auto-elevated you force it to load your own library and the problem is if you drop the library there the library is not in the white list that means this kind of bypass is not working on if application white listing is there and there are some other techniques for example you can use this Woosa application to drop it there and so on and but they're just not working and what the main message is just there are some techniques which are working for example what you can say someone of you knows shims the Microsoft Windows application compatibility toolkit you can install them so for example what you can say is I redirect the Xer so for example if you start the auto-elevated executable you can say redirect it to my own malware so my malware is instead executed but the manifest file is taken from the real file which means my file is now auto-elevated some kind of that techniques but the problem with this technique is that it's only working on very old systems so for example 32-bit systems you can also say here with some other techniques to make the registry right able to disable user-count control but in this case you have to reboot your system and it's not working on Windows 10 but we also found some private ones so for example what we are doing is for our social engineering projects we need some private techniques which also come around antivirus products and these techniques also work if application wide listing is there so you can bypass it if you like as already mentioned there are some processes with some special privileges these can be used to bypass the protectors like read and write protectors so this is mainly the update processors because they can override write protected stuff and you also have the service the service is kind of cool because we can first of all read everything which is re-protected and we can remove for example the password file so what we can do is as soon as you run inside the service we can remove the password file and then just say as admin disable to disable all protectors but injecting code into this service here requires you to be administrator so you can attack the updaters if you're a normal user but for this technique here you just have to be administrator but it's not really required it just makes your life more simple here again the update processors what you see here is test.exe is white listed so I cannot override it because it's right protected at the same time so if I want to copy test.do over it you say here access is denied and the content of it is old then I can just run my own update process which overwrites it which works fine and then let's see it's just overwritten and the basic idea is that you just inject your own code into one of the update processors so for example the Java update process here is white listed but effort also is an update process but effort so what I'm doing here is I have my butt script and then I'm just injecting my code into this Java update process overwriting it there and I feel my new content and the problem is that they are just identifying this update process here by the name so even if it would run as this higher privileges I can just start it as normal user and then inject my own code into it so yeah as already mentioned we can also inject into a service if we are an administrator but that means we have to buy this user account control or we have to find some kind of privilege escalation exploit if you're not an administrative user but then we can just remove this password flash file or we can for example add a trusted volume which means it just disables the protections but you don't have to reboot your system in this case and we also have here some kernel land related vulnerabilities yeah which just I think very very sure will allow you to escalate your privileges for example if you're a normal user to get administrative or system privileges I here now some demonstrations which show you the techniques so it is the so I'm starting it as administrator and here I'm just saying so first of all everything is disabled then I just say scan the system for all files so let's say solidify so it's now iterating over all files just go to the next demo now it generated the the white list here so the next thing is that I have to say to enable all the kind of protections so it's still disabled now I'm saying enable I have to reboot my system I'm now logging in as a normal user so user in this case is an administrative user the normal user has no administrative privileges because I want to show you that everything is really working as normal user you don't have to be administrator for the techniques you see here if I try to start it it just says you have to be administrator so you cannot do it just see I'm no administrator in this case just skipping this part here yeah what I'm now doing is I create here a bot file I've write some content into it so that you show that protection is really working so if I now want to start this new bot file this bot file is not in the white list so you cannot execute it the same applies for for execute tables and so on so the next step is to bypass the protection I have here one white listed file so you just see your dialogue if I copy this file the new one is not in the white list so you cannot execute it you get this access violation access is not denied message you can remove this because it's not in the white list that means it's not white protected but you cannot remove the white listed one so it just says first you don't have enough privileges try this administrator so I'm not trying as administrator and it says you can still not remove it because it's white protected from the current land so I'm now on the tech machine my idea was to show you that it's really simple to bypass this kind of protection so I just use public available tools so in this case I'm just using social engineering toolkit together with meta creator session but you can also implement all the kind of stuff in shell code yourself so what I'm doing here is I just say create me this PowerShell payload for meta creator sessioner giving here the reverse shell IP so you find here the payload so it's basically the payload together with the complete script and I'm now on the victim machine I created this virus file which looks like a normal application but it's a HDR file and you can just open it in notepad can everyone read it or is this so small or maybe so basically it's an HTML file and you just say they are a start PowerShell and then immediately close the window again you can also start some other kind of application then for example to fake that it's a game or something like that to trigger a user and yeah in the next slide you just see here if you click on it it was now executed but you can also start some applications to fake it to trick the user and you just get here the session you can then have a look in which process you're running so in this case I'm running inside the PowerShell process so I'm on the desktop and next thing was I tried to upload putty because putty is my fake malware which I want to execute but putty is not in the white list right here are some problems with the syntax so I've now uploaded putty to the desktop and the problem is putty is not in the white list so I cannot execute it so if I try I just get an x is denied the next step is I have here the white listed x file the next step is that I want to override the white listed file with my putty.x with my malware so I'm trying to override it but because it's right protected I cannot override it x is denied so the next thing which I'm doing is I have just a look here at the running processes and you find here that the Java update process is running it's down here so the next thing is that I just migrate from the PowerShell process to the Java update process so I'm just injecting myself into this process and because this process has this special privilege is to override white protected files I can then now override this white listed file so I'm now inside this Java update process now going to the desktop again so in this case you see you have now overwritten it and you see here in the graphical user interface you cannot execute putty because it's not in the white list but now you can execute the white listed file which is putty which should be your malware and I have here one final demo but I just skip here the stuff in this case I'm just an administrator and you see here if I want to execute some kind of commands you have to provide the password but as a attacker I don't know the password so what I can do is if I'm administrator you can remove this password file so if I'm inside the normal process I cannot read this password file because it's re-protected but I'm now injecting myself into the running servers just go here a little bit so I'm now inside this service and this is the only technique which really requires you to be administrator then I can read this password hash file and I also can remove it which means as soon as it is removed you can just say as admin and then for example disable or add trusted volume to disable all the protections so in this case you see I don't need the password anymore conclusion so in my opinion application white listing is a really good concept because it helps you to protect against mess attacks but if someone tries to target their company it's really trivial to bypass and in some cases it can even lower the security of operating systems for example if they allocate right table and executable sections or if they have kernel and vulnerabilities here are some hardening guidelines basically just apply updates and remove everything from the talk so all the applications which can be abused and so on just have a look at the advisory where you can find more such hardening guidelines here's the response from the vendor so what they were saying is for example that we allocate something which is right table and executable it's very very complex to exploit such stuff so the risk is very low or so that they installed something from 1999 it's very hard to exploit this because we have buffer flow mitigations and so on so risk is also very low and to all the other stuff they just said they are theoretical and there is no proof of concept which is kind of strange because I sent them all this kind of stuff and techniques and code and so on but yeah another very strange thing is that they told me you have to be administrator to inject something into the update process which is just wrong because the update processes are just identified by the name and you can just start the update process with your own privileges as normal user so and also the demonstration showed you that everything is working as normal user so you don't have to be administrator only if you want to inject into the service and the same is true for the kernel and vulnerabilities they told me that you need to be administrator which is just wrong because you can do the stuff as normal user and of course you have to run untrusted binaries and that is not possible on their systems and so on yeah then they just told me okay everything is classified as low so we will not fix it in your disclosure timeline and I think this was the last thing which I heard from them so we also wrote them we should really fix that stuff but yeah also very interesting fact is we then released I think 60 days later our advisory they didn't fix anything and I think three months later someone from the zero-day initiative maybe they come across our advisory just found the same kernel and vulnerabilities in them and just reported them to them again however yeah the current version which you can download on the website is this one here but if you have credentials and can log in there I think there's also version 7.0 so maybe it is fixed there so the version which you can download on the website all is still there but I don't know if they have some kind of hot fixes there and they also don't reply anymore to me but yeah one of our customers I think they have 7.0 and I will have soon the possibility to test it there so maybe they have fixed something there maybe I will find more there thank you very much for your attention