M2Team/Privexec

Request: Low Privilege AppContainer (LPAC)

WildByDesign opened this issue · 5 comments

Now that the AppContainer functionality is working 100%, it would be great to have an option to run within LPAC sandbox as well. James Forshaw (Google Project Zero / Chrome sandbox) suggested to me that it is just one additional security attribute during launch to be low privilege AC.

This would require an additional item on the Privexec drop down menu and wsudo.

AppContainer
AppContainer (LPAC)
Mandatory Integrity Control
No Elevated (UAC)
Administrator

Attribute as shown from Process Hacker:
LPAC

Code that verifies LPAC is enabled or not:
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/NtToken.cs#L2583

This security attribute needs to be added during process launch and determines that AppContainer is Low Privilege AppContainer (LPAC) which is more secure in comparison to regular AC.

Therefore, having a choice between two types of AppContainer on menu would be excellent.

You already have LPAC capabilities, so that part of the development is already there. You just need the WIN://NOALLAPPPKG security attribute added to token during launch.

Thank you. Keep up the fantastic work!

@WildByDesign Maybe just add a checkbox to support whether to enable LPAC.

Use SetTokenInformation set TokenUserClaimAttributes

// https://docs.microsoft.com/zh-cn/windows/desktop/api/winnt/ns-winnt-_claim_security_attribute_v1
typedef struct _CLAIM_SECURITY_ATTRIBUTE_V1 {
  PWSTR Name;
  WORD  ValueType;
  WORD  Reserved;
  DWORD Flags;
  DWORD ValueCount;
  union {
    PLONG64                                      pInt64;
    PDWORD64                                     pUint64;
    PWSTR                                        *ppString;
    PCLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE         pFqbn;
    PCLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
  } Values;
} CLAIM_SECURITY_ATTRIBUTE_V1, *PCLAIM_SECURITY_ATTRIBUTE_V1;

// https://docs.microsoft.com/zh-cn/windows/desktop/api/winnt/ns-winnt-_claim_security_attributes_information
typedef struct _CLAIM_SECURITY_ATTRIBUTES_INFORMATION {
  WORD  Version;
  WORD  Reserved;
  DWORD AttributeCount;
  union {
    PCLAIM_SECURITY_ATTRIBUTE_V1 pAttributeV1;
  } Attribute;
} CLAIM_SECURITY_ATTRIBUTES_INFORMATION, *PCLAIM_SECURITY_ATTRIBUTES_INFORMATION;

@fcharlie Yes, I agree, a checkbox would work best.

@WildByDesign See: 587a21e SetTokenInformation not work.

Use UpdateProcThreadAttribute set ProcThreadAttributeAllApplicationPackagesPolicy.

Now Privexec/WSUDO support LPAC

Congratulations on this latest achievement/development, sir. This program becomes more and more powerful. Thank you.