Author Topic: [BUG] JOB_OBJECT_UILIMIT_HANDLES doesn't limit hooks  (Read 1164 times)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1525
[BUG] JOB_OBJECT_UILIMIT_HANDLES doesn't limit hooks
« on: September 13, 2017, 02:22:12 pm »
This one can be considered a serious security issue. But I don't know if it's a bug in Windows or (more likely) a bug in documentation. MSDN says:
Quote
If you specify the JOB_OBJECT_UILIMIT_HANDLES flag, when a process associated with the job broadcasts messages, they are only sent to top-level windows owned by processes associated with the same job. In addition, hooks can be installed only on threads belonging to processes associated with the job.
Windows are filtered indeed (though it doesn't prevent from taking screenshots). But reading this one may get false impression that a process in a job with this limit will be isolated from other process and won't be able to set hooks in them. And even popular products like Chromium or Adobe products fall victim to this bug as they write in their documentation:
Quote
The target process also runs under a Job object. Using this Windows mechanism, some interesting global restrictions that do not have a traditional object or security descriptor associated with them are enforced:
...
Forbid setting global Windows hooks (using SetWindowsHookEx())
and
Quote
Our job object sets the UILIMIT_HANDLES restriction. This prevents the sandboxed process from setting hooks into processes not associated with our job.
The sad truth is this job limit doesn't protect from hooks. DLL is successfully injected in other processes and with arbitrary code execution in the context of other processes, it's security game over.