Question about Use separate desktop setting

Started by aDVll, April 01, 2016, 03:03:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

aDVll

April 01, 2016, 03:03:56 PM
So i wanted to run an application from within the same desktop and not use a different one so i have the program run on my current window(no clue how to describe it by i hope you get the idea). So i found out i can do that with the setting "Use separate desktop" which i can disable but then i saw that doing that and leaving DESKTOP_HOOKCONTROL on(have to let it on for the application to work correctly)is a critical security issue.
So is there a way to run the application restricted without doing the above which leaves me unprotected again?

Thanks for any input and ideas. 

fixer

#1
April 01, 2016, 03:56:35 PM
Hello, aDVll.
Usually the most convenient case is to strip the DESKTOP_HOOKCONTROL privilege and use the current desktop. But unfortunately some programs work incorrectly if they don't have DESKTOP_HOOKCONTROL privilege.
In this case the recommended scenario is to use a separate desktop. If separate desktop is not an option, the only way is to accept some risk. You will still be protected from most undesirable activity, but some holes will be left open which may lead to escape from isolated environment to other non-isolated applications running on the same desktop.

aDVll

#2
April 01, 2016, 03:58:43 PM
Quote from: fixer on April 01, 2016, 03:56:35 PM
Hello, aDVll.
Usually the most convenient case is to strip the DESKTOP_HOOKCONTROL privilege and use the current desktop. But unfortunately some programs work incorrectly if they don't have DESKTOP_HOOKCONTROL privilege.
In this case the recommended scenario is to use a separate desktop. If separate desktop is not an option, the only way is to accept some risk. You will still be protected from most undesirable activity, but some holes will be left open which may lead to escape from isolated environment to other non-isolated applications running on the same desktop.
Just like i understood then. So if you don't mind me asking would the attack, to get out of the containment, have to be targeted against rehips or a normal ransomware/virus/etc can do it.

fixer

#3
April 01, 2016, 05:42:21 PM
Let's see. You have some application that you run in isolated environment on the main desktop with DESKTOP_HOOKCONTROL privilege enabled. There are 2 possible attack waves.
1. The first wave-your application was exploited and started to execute some shellcode. From my experience it's unlikely that escape happens here. Shellcode is usually as small as possible and targeted to download and execute main payload.
2. The second wave-payload execution. If it's executed as a separate process, ReHIPS should warn you that your application is trying to run a process. If it's executed in-process (from my experience it happens quite rarely) then it depends on the payload and escape is possible.

To sum it all up: I don't think some public wide-spread generic malware will escape the isolation unless it's some sophisticated or targeted stuff.

aDVll

#4
April 01, 2016, 05:43:28 PM
Thanks a lot. Appreciate it.
Print
Go Up Pages1
User actions