Folks, The security model employed by the OS for calls to OpenProcess () and the like is not radically different from that used in calls such as CreateFile (). The true problem is the lack of understanding of process and thread creation on Win32 systems. A process created using CreateProcess () can have a DACL set on it, using a security descriptor. Without an explicit security descriptor the process will inherit a default security descriptor, which is the security descriptor for the process calling CreateProcess (), and ultimately will have come from the primary or impersonation token. As most user processes can trace their roots to EXPLORER.EXE and as most, if not all, calls to CreateProcess () neglect to explicitly set a security descriptor with a DACL, any process created from EXPLORER.EXE has access to any other process created from EXPLORER.EXE as the default security descriptor contains a DACL that will grant them full access. If explicit security descriptors were set during CreateProcess () things like Task Manager would fail, processes could not communicate with each other, etc. However, it is important to understand that the most that can happen is that a user can only access, corrupt, or interfere, with their processes using the same default security descriptor. A user should not be able to access a process in another logon session, including processes launched using the Secondary Logon service, as the session SID in the token will be different, if not the SID of the owner. The exception is that if the user has privileges above what is normally afforded to users, such as Debug programs or Act as part of the operating system, they would be able to affect any process. In reality the process model is not that different from *nix systems, and is not really any more vulnerable. I can think of code injection attacks that work along similar lines on *nix systems, which doesn't have the concept of DACLs for protection, and relies on uid only. To secure applications, developers might want to consider how they call CreateProcess (), or use SetSecurityInfo (), to protect their applications running as processes from unwanted interference by other processes in the same logon session. John
This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 08:45:02 PST