[BUG] JOB_OBJECT_UILIMIT_HANDLES doesn't limit hooks

Started by fixer, September 13, 2017, 02:22:12 PM

Previous topic - Next topic

fixer

This one can be considered a serious security issue. But I don't know if it's a bug in Windows or (more likely) a bug in documentation. MSDN says:
QuoteIf you specify the JOB_OBJECT_UILIMIT_HANDLES flag, when a process associated with the job broadcasts messages, they are only sent to top-level windows owned by processes associated with the same job. In addition, hooks can be installed only on threads belonging to processes associated with the job.
Windows are filtered indeed (though it doesn't prevent from taking screenshots). But reading this one may get false impression that a process in a job with this limit will be isolated from other process and won't be able to set hooks in them. And even popular products like Chromium or Adobe products fall victim to this bug as they write in their documentation:
QuoteThe target process also runs under a Job object. Using this Windows mechanism, some interesting global restrictions that do not have a traditional object or security descriptor associated with them are enforced:
...
Forbid setting global Windows hooks (using SetWindowsHookEx())
and
QuoteOur job object sets the UILIMIT_HANDLES restriction. This prevents the sandboxed process from setting hooks into processes not associated with our job.
The sad truth is this job limit doesn't protect from hooks. DLL is successfully injected in other processes and with arbitrary code execution in the context of other processes, it's security game over.