Google disclosed the details of a Windows ​​AppContainer vulnerability because Microsoft initially had no plans to fix it.
Google Project Zero experts disclosed the details of a Windows ​​AppContainer flaw after Microsoft announced it had no plans to fix it.
The team focused its analysis on Windows Firewall and AppContainer that were designed by Microsoft to limit the attack surface of applications. Bypass network restrictions in AppContainer sandboxes could allow an attacker to access services on localhost, as well as granting access to intranet resources in an enterprise organization.
Google Project Zero researcher James Forshaw discovered an issue in the configuration of Windows Firewall that could allow attackers to bypass restrictions and allowed an AppContainer process to access the network.
“Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.” wrote Forshaw.
“I recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didn’t meet the bar for a security bulletin so it’s marked as WontFix.”
According to Google, Microsoft decided to label the issue as WontFix.
“The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.” reads the security advisory published by Microsoft. “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.”
Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP
DevOps and Containers Security
