Bugtraq mailing list archives

RE: Bypassing Personal Firewalls

From: "John Howie" <JHowie () securitytoolkit com>
Date: Fri, 21 Feb 2003 16:51:56 -0800

Folks,

The security model employed by the OS for calls to OpenProcess () and
the like is not radically different from that used in calls such as
CreateFile (). The true problem is the lack of understanding of process
and thread creation on Win32 systems.

A process created using CreateProcess () can have a DACL set on it,
using a security descriptor. Without an explicit security descriptor the
process will inherit a default security descriptor, which is the
security descriptor for the process calling CreateProcess (), and
ultimately will have come from the primary or impersonation token.

As most user processes can trace their roots to EXPLORER.EXE and as
most, if not all, calls to CreateProcess () neglect to explicitly set a
security descriptor with a DACL, any process created from EXPLORER.EXE
has access to any other process created from EXPLORER.EXE as the default
security descriptor contains a DACL that will grant them full access.

If explicit security descriptors were set during CreateProcess () things
like Task Manager would fail, processes could not communicate with each
other, etc. However, it is important to understand that the most that
can happen is that a user can only access, corrupt, or interfere, with
their processes using the same default security descriptor. A user
should not be able to access a process in another logon session,
including processes launched using the Secondary Logon service, as the
session SID in the token will be different, if not the SID of the owner.
The exception is that if the user has privileges above what is normally
afforded to users, such as Debug programs or Act as part of the
operating system, they would be able to affect any process.

In reality the process model is not that different from *nix systems,
and is not really any more vulnerable. I can think of code injection
attacks that work along similar lines on *nix systems, which doesn't
have the concept of DACLs for protection, and relies on uid only.

To secure applications, developers might want to consider how they call
CreateProcess (), or use SetSecurityInfo (), to protect their
applications running as processes from unwanted interference by other
processes in the same logon session.

John

Current thread:

Bypassing Personal Firewalls xenophi1e (Feb 21)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)
  - RE: Bypassing Personal Firewalls Oliver Lavery (Feb 21)
    - RE: Bypassing Personal Firewalls Drew Copley (Feb 21)
- Re: Bypassing Personal Firewalls Shaun Clowes (Feb 23)
  - Re: Bypassing Personal Firewalls Johan Verrept (Feb 24)
    - Re: Bypassing Personal Firewalls Shaun Clowes (Feb 24)
  - Re: Bypassing Personal Firewalls Zow (Feb 24)
- Re: Bypassing Personal Firewalls Darwin (Feb 28)
- <Possible follow-ups>
- RE: Bypassing Personal Firewalls John Howie (Feb 23)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 24)
- Re: Bypassing Personal Firewalls Torbjörn Hovmark (Feb 24)
- RE: Bypassing Personal Firewalls John Howie (Feb 24)