Request: Low Privilege AppContainer (LPAC)
WildByDesign opened this issue · 5 comments
Now that the AppContainer functionality is working 100%, it would be great to have an option to run within LPAC sandbox as well. James Forshaw (Google Project Zero / Chrome sandbox) suggested to me that it is just one additional security attribute during launch to be low privilege AC.
This would require an additional item on the Privexec drop down menu and wsudo.
AppContainer
AppContainer (LPAC)
Mandatory Integrity Control
No Elevated (UAC)
Administrator
Attribute as shown from Process Hacker:
Code that verifies LPAC is enabled or not:
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/NtToken.cs#L2583
This security attribute needs to be added during process launch and determines that AppContainer is Low Privilege AppContainer (LPAC) which is more secure in comparison to regular AC.
Therefore, having a choice between two types of AppContainer on menu would be excellent.
You already have LPAC capabilities, so that part of the development is already there. You just need the WIN://NOALLAPPPKG security attribute added to token during launch.
Thank you. Keep up the fantastic work!
@WildByDesign Maybe just add a checkbox to support whether to enable LPAC.
Use SetTokenInformation
set TokenUserClaimAttributes
// https://docs.microsoft.com/zh-cn/windows/desktop/api/winnt/ns-winnt-_claim_security_attribute_v1
typedef struct _CLAIM_SECURITY_ATTRIBUTE_V1 {
PWSTR Name;
WORD ValueType;
WORD Reserved;
DWORD Flags;
DWORD ValueCount;
union {
PLONG64 pInt64;
PDWORD64 pUint64;
PWSTR *ppString;
PCLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
PCLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
} Values;
} CLAIM_SECURITY_ATTRIBUTE_V1, *PCLAIM_SECURITY_ATTRIBUTE_V1;
// https://docs.microsoft.com/zh-cn/windows/desktop/api/winnt/ns-winnt-_claim_security_attributes_information
typedef struct _CLAIM_SECURITY_ATTRIBUTES_INFORMATION {
WORD Version;
WORD Reserved;
DWORD AttributeCount;
union {
PCLAIM_SECURITY_ATTRIBUTE_V1 pAttributeV1;
} Attribute;
} CLAIM_SECURITY_ATTRIBUTES_INFORMATION, *PCLAIM_SECURITY_ATTRIBUTES_INFORMATION;
@fcharlie Yes, I agree, a checkbox would work best.
@WildByDesign See: 587a21e SetTokenInformation
not work.
Use UpdateProcThreadAttribute
set ProcThreadAttributeAllApplicationPackagesPolicy
.
Now Privexec/WSUDO support LPAC
Congratulations on this latest achievement/development, sir. This program becomes more and more powerful. Thank you.