RE: Bypassing Personal Firewalls

From: John Howie (JHowieat_private)
Date: Fri Feb 21 2003 - 16:51:56 PST

Next message: Lucas Armstrong: "Re: phpBB Security Bugs"

Previous message: Richard Kettlewell: "buffer overrun in zlib 1.1.4"
Maybe in reply to: xenophi1e: "Bypassing Personal Firewalls"
Next in thread: Shaun Clowes: "Re: Bypassing Personal Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Folks,

The security model employed by the OS for calls to OpenProcess () and
the like is not radically different from that used in calls such as
CreateFile (). The true problem is the lack of understanding of process
and thread creation on Win32 systems.

A process created using CreateProcess () can have a DACL set on it,
using a security descriptor. Without an explicit security descriptor the
process will inherit a default security descriptor, which is the
security descriptor for the process calling CreateProcess (), and
ultimately will have come from the primary or impersonation token.

As most user processes can trace their roots to EXPLORER.EXE and as
most, if not all, calls to CreateProcess () neglect to explicitly set a
security descriptor with a DACL, any process created from EXPLORER.EXE
has access to any other process created from EXPLORER.EXE as the default
security descriptor contains a DACL that will grant them full access.

If explicit security descriptors were set during CreateProcess () things
like Task Manager would fail, processes could not communicate with each
other, etc. However, it is important to understand that the most that
can happen is that a user can only access, corrupt, or interfere, with
their processes using the same default security descriptor. A user
should not be able to access a process in another logon session,
including processes launched using the Secondary Logon service, as the
session SID in the token will be different, if not the SID of the owner.
The exception is that if the user has privileges above what is normally
afforded to users, such as Debug programs or Act as part of the
operating system, they would be able to affect any process.

In reality the process model is not that different from *nix systems,
and is not really any more vulnerable. I can think of code injection
attacks that work along similar lines on *nix systems, which doesn't
have the concept of DACLs for protection, and relies on uid only.

To secure applications, developers might want to consider how they call
CreateProcess (), or use SetSecurityInfo (), to protect their
applications running as processes from unwanted interference by other
processes in the same logon session.

John

Next message: Lucas Armstrong: "Re: phpBB Security Bugs"
Previous message: Richard Kettlewell: "buffer overrun in zlib 1.1.4"
Maybe in reply to: xenophi1e: "Bypassing Personal Firewalls"
Next in thread: Shaun Clowes: "Re: Bypassing Personal Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 08:45:02 PST