ReHIPS forum

English Subforum => ReHIPS => Topic started by: aDVll on April 01, 2016, 03:03:56 PM

Title: Question about Use separate desktop setting
Post by: aDVll on April 01, 2016, 03:03:56 PM
So i wanted to run an application from within the same desktop and not use a different one so i have the program run on my current window(no clue how to describe it by i hope you get the idea). So i found out i can do that with the setting "Use separate desktop" which i can disable but then i saw that doing that and leaving DESKTOP_HOOKCONTROL on(have to let it on for the application to work correctly)is a critical security issue.
So is there a way to run the application restricted without doing the above which leaves me unprotected again?

Thanks for any input and ideas. 
Title: Re: Question about Use separate desktop setting
Post by: fixer on April 01, 2016, 03:56:35 PM
Hello, aDVll.
Usually the most convenient case is to strip the DESKTOP_HOOKCONTROL privilege and use the current desktop. But unfortunately some programs work incorrectly if they don't have DESKTOP_HOOKCONTROL privilege.
In this case the recommended scenario is to use a separate desktop. If separate desktop is not an option, the only way is to accept some risk. You will still be protected from most undesirable activity, but some holes will be left open which may lead to escape from isolated environment to other non-isolated applications running on the same desktop.
Title: Re: Question about Use separate desktop setting
Post by: aDVll on April 01, 2016, 03:58:43 PM
Quote from: fixer on April 01, 2016, 03:56:35 PM
Hello, aDVll.
Usually the most convenient case is to strip the DESKTOP_HOOKCONTROL privilege and use the current desktop. But unfortunately some programs work incorrectly if they don't have DESKTOP_HOOKCONTROL privilege.
In this case the recommended scenario is to use a separate desktop. If separate desktop is not an option, the only way is to accept some risk. You will still be protected from most undesirable activity, but some holes will be left open which may lead to escape from isolated environment to other non-isolated applications running on the same desktop.
Just like i understood then. So if you don't mind me asking would the attack, to get out of the containment, have to be targeted against rehips or a normal ransomware/virus/etc can do it.
Title: Re: Question about Use separate desktop setting
Post by: fixer on April 01, 2016, 05:42:21 PM
Let's see. You have some application that you run in isolated environment on the main desktop with DESKTOP_HOOKCONTROL privilege enabled. There are 2 possible attack waves.
1. The first wave-your application was exploited and started to execute some shellcode. From my experience it's unlikely that escape happens here. Shellcode is usually as small as possible and targeted to download and execute main payload.
2. The second wave-payload execution. If it's executed as a separate process, ReHIPS should warn you that your application is trying to run a process. If it's executed in-process (from my experience it happens quite rarely) then it depends on the payload and escape is possible.

To sum it all up: I don't think some public wide-spread generic malware will escape the isolation unless it's some sophisticated or targeted stuff.
Title: Re: Question about Use separate desktop setting
Post by: aDVll on April 01, 2016, 05:43:28 PM
Thanks a lot. Appreciate it.