Vulnerability Development mailing list archives
Re: Windows NT does not check permissions after HANDLEs are open
From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 29 Aug 2001 21:48:05 -0700
c0ncept () hushmail com wrote:
The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights. The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and permissions on the objecect subsiquently change, the original requestor of the object retains the original access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al].
I believe this is documented, though perhaps in a different context. If you, as a domain admin, have given someone a right, or group membership, etc... and they log in with that... they hang onto it for the entire time they are logged in. It becomes part of the "security token". You can yank the right, but they hang onto it until they logout, or you do a forced logout. This is from the MS certification classes. I think the same applies in your example. There's probably a way to force the handle to go away, then they'd have no rights. Of course, the program using the handle would probably fall over dead, too... BB
Current thread:
- Windows NT does not check permissions after HANDLEs are open c0ncept (Aug 29)
- Re: Windows NT does not check permissions after HANDLEs are open Blue Boar (Aug 29)
- Re: Windows NT does not check permissions after HANDLEs are open Syzop (Aug 30)
- Re: Windows NT does not check permissions after HANDLEs are open Thor (Aug 30)
- <Possible follow-ups>
- RE: Windows NT does not check permissions after HANDLEs are open Michael Wojcik (Aug 30)