Vulnerability Development mailing list archives
Re: Why MS namedpipe work this way
From: "Ryan Permeh" <ryan () eEye com>
Date: Tue, 11 Dec 2001 09:54:53 -0800
actually, this is only partly true. you can compare SE priv levels granted to the tokens. at very least, you can drop all (or almost all) privs from the token before impersonation. i belive there is an option in some of the Impersonate* win32 api code to handle automatic dropping of privleges, but it's been a while since i played with them. Also, Administrator and LOCAL_SYSTEM (and a few hardcoded groups) should always have the same SID, since they are integral to the operation of the system. They may not have the same name, or password, but by doing SID comparisons against known accounts or groups, you could imply a heirarchy, at least logically. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "3APA3A" <3APA3A () SECURITY NNOV RU> To: "Minchu Mo" <morris_minchu () iwon com> Cc: <vuln-dev () securityfocus com> Sent: Monday, December 10, 2001 10:51 PM Subject: Re: Why MS namedpipe work this way
Hello Minchu, --Monday, December 10, 2001, 2:56:05 PM, you wrote to
vuln-dev () securityfocus com:
MM> Would it be better to have this function MM> ImpersonateNamedPipeClient() work only in case MM> when namedpipe server have higher privilidge than MM> client. Under *nix there is superuser with uid 0 and ordinary users. Under Windows there is no things like that. There is a set of permissions and group memberships each user can be given. It's impossible to compare 2 abstract users who has "higher" privileges. -- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
Current thread:
- Why MS namedpipe work this way Minchu Mo (Dec 10)
- Re: Why MS namedpipe work this way Robert Freeman (Dec 10)
- Re: Why MS namedpipe work this way 3APA3A (Dec 11)
- Re: Why MS namedpipe work this way Ryan Permeh (Dec 11)