[vbox-dev] HARDENING fails to verify DLLs depending on INTERACTIVE user vs. NOT

Fri Apr 30 10:23:35 GMT 2021

Hi all,

I would like to use VirtualBox-6.1.18-142142-Win.exe on a Windows
Server 2019 to host some few VMs. The important thing of course is
that those VMs need to run automatically besides any interactive user
login AND I would like to restrict the user which is running the VMs
for security reasons.

In theory this should easily be possible by creating a standard user
in Windows and a task in the task scheduler to execute a VM headless
using that user and e.g. the following command line:

> VBoxManage startvm "[...]" --type headless

In practice it's not that easy because of HARDENING: Whenever my user
is a member of the group ADMINISTRATORS, VMs start successfully using
task scheduler, while they don't as normal user. Though, when creating
a cmd.exe interactively as my normal user and executing the above
command line manually, the VMs start successfully as well.

https://ibb.co/bWyQJCF

That makes somewhat sense as well, because Windows assigns a lot of
permissions by default to either admins or interactive users otherwise
not allowed. That's exactly what we saw e.g. regarding COM components
of VirtualBox in some former mail of mine.

HARDENING simply refuses to load necessary and otherwise legitimate
Windows-DLLs:

> 00:00:00.698930 supR3HardenedErrorV: supR3HardenedScreenImage/LdrLoadDll: rc=VERR_LDRVI_NOT_SIGNED fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll: Not signed.
> 00:00:00.699270 supR3HardenedErrorV: supR3HardenedMonitor_LdrLoadDll: rejecting 'C:\Windows\System32\NetSetupShim.dll' (C:\Windows\System32\NetSetupShim.dll): rcNt=0xc0000190
> 00:00:00.699485 NetworkAttachmentType_Bridged: Failed to get NetCfg, hrc=ERROR_TRUST_FAILURE 0x800706FE (0x800706fe)
> 00:00:00.699543 AssertLogRel F:\tinderbox\win-6.1\src\VBox\Main\src-client\ConsoleImpl2.cpp(5376) int __cdecl Console::i_configNetwork(const char *,unsigned int,unsigned int,struct INetworkAdapter *,struct CFGMNODE *,struct CFGMNODE *,struct CFGMNODE *,bool,bool): !FAILED(hrc)
> 00:00:00.699551 hrc=ERROR_TRUST_FAILURE 0x800706FE
> 00:00:00.699812 Constructor failed with rc=VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR pfnCFGMConstructor=00007ffc15bd1e60
> 00:00:00.825718 VMSetError: F:\tinderbox\win-6.1\src\VBox\VMM\VMMR3\VM.cpp(318) int __cdecl VMR3Create(unsigned int,const struct VMM2USERMETHODS *,void (__cdecl *)(struct UVM *,void *,int,const char *,unsigned int,const char *,const char *,char *),void *,int (__cdecl *)(struct UVM *,struct VM *,void *),void *,struct VM **,struct UVM **); rc=VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR
> 00:00:00.825723 VMSetError: The configuration constructor in main failed due to a COM error. Check the release log of the VM for further details.
> 00:00:00.825944 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={The configuration constructor in main failed due to a COM error. Check the release log of the VM for further details. (VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR)}, preserve=false aResultDetail=-6400
> 00:00:00.826282 Console: Machine state changed to 'PoweredOff'
> 00:00:00.842116 Power up failed (vrc=VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR, rc=E_FAIL (0X80004005))

The logs for HARDENING itself contain the following additional
details, which clearly show that some checks didn't succeed. For some
reason the hash and digest of the file aren't found in Windows
catalogs in this context, while the exact same values are e.g. when
executed as admin.

> 2798.fc: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffc74d20000 'C:\windows\system32\rsaenh.dll'
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000808 pwszName=\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Cached context 00000000019efab0
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019efab0
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0)
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: New context 00000000019ef030
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019ef030
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062)
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Cached context 00000000019eef70
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019eef70
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=32 wszDigest=668C2310EFB19B6732352E1B4C6B047E3037FC14D9878DA0CC690CFA6D37CE20
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0)
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: New context 00000000019efab0
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019efab0
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=32 wszDigest=668C2310EFB19B6732352E1B4C6B047E3037FC14D9878DA0CC690CFA6D37CE20
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062)
> 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile -> -22900 (org 22900)
> 2798.fc: supHardenedWinVerifyImageByHandle: -> -22900 (\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll) WinVerifyTrust
> 2798.fc: Error (rc=0):
> 2798.fc: supR3HardenedScreenImage/LdrLoadDll: rc=Unknown Status -22900 (0xffffa68c) fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll: Not signed.
> 2798.fc: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll
> 2798.fc: Error (rc=0):
> 2798.fc: supR3HardenedMonitor_LdrLoadDll: rejecting 'C:\Windows\System32\NetSetupShim.dll' (C:\Windows\System32\NetSetupShim.dll): rcNt=0xc0000190
> 2798.fc: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000190 'C:\Windows\System32\NetSetupShim.dll'
> 2798.36d4: supR3HardenedDllNotificationCallback: Unload 00007ffc2aa90000 LB 0x000ef000 C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll [flags=0x0]
> 2798.36d4: supR3HardenedDllNotificationCallback: Unload 00007ffc77240000 LB 0x00052000 C:\windows\System32\SHLWAPI.dll [flags=0x0]
> 2798.36d4: supR3HardenedDllNotificationCallback: Unload 00007ffc15f60000 LB 0x003c0000 C:\Program Files\Oracle\VirtualBox\VBoxC.dll [flags=0x0]
> 2798.36d4: Terminating the normal way: rcExit=0
> 1938.2ca0: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0x0 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1448 ms, the end);
> 35f4.18b0: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x0 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1921 ms, the end);

> /* Get the next match. */
> HCATINFO hCatInfo = g_pfnCryptCATAdminEnumCatalogFromHash(hCatAdmin, abHash, cbHash, 0, &hCatInfoPrev);
> if (!hCatInfo)
> {
>     if (!fFreshContext)
>     {
>         SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> %u; iCat=%#x)\n", RtlGetLastWin32Error(), iCat));
>         if (hCatInfoPrev != NULL)
>             g_pfnCryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfoPrev, 0 /*dwFlags*/);
>         g_pfnCryptCATAdminReleaseContext(hCatAdmin, 0 /*dwFlags*/);
>         goto l_fresh_context;
>     }
>     ULONG ulErr = RtlGetLastWin32Error();
>     fNoSignedCatalogFound = ulErr == ERROR_NOT_FOUND && fNoSignedCatalogFound != 0;
>     if (iCat == 0)
>         SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (%u)\n", ulErr));
>     else if (iCat == 0)
>         SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed %u\n", ulErr));
>     break;
> }

https://www.virtualbox.org/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp#L2703

The following is how a successful verification of that same file looks
like. Specially look at "cbHash" and "wszDigest", which should be the
exact same values like for the first attempt in the former logs. So if
this verification succeeds, the catalogs contain the necessary data
and the state of the DLL is obviously OK.

> supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000930 pwszName=\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll
> supR3HardNtViCallWinVerifyTrustCatFile: Cached context 0000000001433810
> supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=0000000001433810
> supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58

The following lines are of additional interest because they seem to
contain some error code of Windows:

> supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0)
> supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062)

Which might the following:

> ERROR_SERVICE_NOT_ACTIVE
> 1062 (0x426)
> The service has not been started.

https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1000-1299-

Any idea what the not active service might be in the context of a
normal, non-interactive user? Any other idea about the root cause of
this problem?

Thanks!

Mit freundlichen Grüßen

Thorsten Schöning

P.S.: HARDENING has caused a LOT of trouble for people over the
years, so you should really reconsider your opinion regarding runtime
options to disable it in some environments. Just look at my scenario:
A restricted user does not work OOB, while an admin does. That doesn't
make any sense regarding security... :-)

https://forums.virtualbox.org/viewtopic.php?f=6&t=84697
https://forums.virtualbox.org/viewtopic.php?f=6&t=92045
https://forums.virtualbox.org/viewtopic.php?f=6&t=89937
https://forums.virtualbox.org/viewtopic.php?f=6&t=84523
https://forums.virtualbox.org/viewtopic.php?f=6&t=82277
https://superuser.com/questions/838777/virtual-box-fail-load-virtual-machine-e-fail-0x80004005

-- 
AM-SoFT IT-Service - Bitstore Hameln GmbH i.G.
Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

E-Mail: Thorsten.Schoening at AM-SoFT.de
Web:    http://www.AM-SoFT.de/

Tel:   05151-  9468- 0
Tel:   05151-  9468-55
Fax:   05151-  9468-88
Mobil:  0178-8 9468-04

AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB neu - Geschäftsführer: Janine Galonska

Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung.

Mit freundlichen Grüßen

Thorsten Schöning

Tel: 05151 9468 0
Fax: 05151 9468 88
Mobil: 
Webseite: https://www.am-soft.de 

AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

AM-Soft IT-Service - Bitstore Hameln GmbH i.G.
Brandenburger Str. 7c
31789 Hameln
Tel: 05151 9468 0

Bitstore IT-Consulting GmbH
Zentrale - Berlin Lichtenberg
Frankfurter Allee 285
10317 Berlin
Tel: 030 453 087 80

CBS IT-Service - Bitstore Kaulsdorf UG
Tel: 030 453 087 880 1

Büro Dallgow-Döberitz
Tel: 03322 507 020

Büro Kloster Lehnin
Tel: 033207 566 530

PCE IT-Service - Bitstore Darmstadt UG
Darmstadt
Tel: 06151 392 973 0

Büro Neuruppin
Tel: 033932 606 090

ACI EDV Systemhaus - Bitstore Dresden GmbH
Dresden
Tel: 0351 254 410

Das Systemhaus - Bitstore Magdeburg GmbH
Magdeburg
Tel: 0391 636 651 0

Allerdata.IT - Bitstore Wittenberg GmbH
Wittenberg
Tel: 03491 876 735 7

Büro Liebenwalde
Tel: 033054 810 00

HSA - das Büro - Bitstore Altenburg UG
Altenburg
Tel: 0344 784 390 97

Bitstore IT – Consulting GmbH
NL Piesteritz 
Piesteritz
Tel: 03491 644 868 6

Solltec IT-Services - Bitstore Braunschweig UG
Braunschweig
Tel: 0531 206 068 0

MF Computer Service - Bitstore Gütersloh GmbH
Gütersloh
Tel: 05245 920 809 3

Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger Str. 7c , 31789 Hameln
Geschäftsführer Janine Galonska