Windows User Account Control and Chromium Sandbox

[Lorenzo Lamas]

Part of Chromium Sandbox Architecture on Windows relies on processes running with a low/untrusted Integrity Level. UAC(User Account Control) normally prevents a process from getting admin rights (high IL) without approval from the user in form of a prompt.

If you set UAC to never notify, the user does not get any prompts and everything is automatically approved.

Does this affect or weaken the Chromium sandbox? I set UAC to never notify, gave a copy of cmd.exe low integrity level, and with that low integrity cmd.exe I was able to launch a high integrity level process without any warning. It seems to me that this undermines the foundation on which the Chromium sandbox is built, and would break or make it easier to escape the sandbox. Is that correct?

[James Forshaw]

In a word, no. It doesn't affect or weaken the Chromium sandbox. The Chromium sandbox makes use of more than just the integrity level to enforce the sandboxing of processes. For example we use restricted tokens to further limit access that a sandbox process can have to system resources and services. In your example the AppInfo service which implements the UAC feature checks the caller's token when a request to spawn a new privileged process is made. The check permits callers where the only security change is a low integrity level, such as your low integrity cmd, however the check doesn't succeed for any of the sandbox tokens we create for chromium so the attack vector is blocked.

Fundamentally we're limited by the security that Microsoft put into their own operating system. In theory they could have made the UAC service allow any caller to spawn any privileged process, at which point it'd be a problem. However, if such an attack vector was discovered then Microsoft will generally patch it so that it's no longer an issue. That said, if you're interested and want to see such an example where I abused the UAC service to escape the Chromium sandbox (as used in Firefox) due to a Microsoft kernel bug see this blog post.

James.

[Lorenzo Lamas]

Thank you for the fast and elaborate reply! Interesting stuff, and thanks for the example!