Re: [Full-disclosure] Question for the Windows pros



--On Thursday, January 19, 2006 08:20:37 +0100 Bernhard Mueller <research@xxxxxxxxxxxxxxx> wrote:

Hello,

The ImpersonateClient API does not require that credentials are embedded
into the program. A call to ImpersonateClient allow a server to
"impersonate" the client when it receives a local connection, e.g. via a
named pipe. It is mostly used by servers to DROP their privileges to
that of the connecting user if they are running with administrative
privileges.
A security issue with ImpersonateClient arises if there's no error
checking on the ImpersonateClient call and the process runs without
realizing that it is still SYSTEM.
Another issue would be an unprivileged client with the ImpersonateClient
privilege, if an attacker manages to make a process with admin rights
connect to that client. This is why normal users do not have this right
by default.

When you say "manages to make a process with admin rights connect", you are referring to the Local Administrator account on the machine in question, correct?

So far, from what I understand, granting this privilege to a User means that *if* a process with higher privileges can connect to the computer in question, the User's privileges will be elevated through impersonation. If this is the case, then the security risk is minimal, I would think.

I would welcome suggestions regarding scenarios where this could be used to exploit a box. ISTM if the connecting process already has the admin rights, elevating the User's rights through impersonation merely elevates the User to the same level of privilege that the process already has.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: killking child processes
    ... and asks the ssh daemon to start a server. ... A server manages a session. ... A client in the ... the master has the same privileges as the thing it's ...
    (comp.unix.programmer)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... > You can google for "non enabled privileges are stripped" in the `groups` ... but with the client and server side all on the ... You also mention "the OSF code path" as opposed to LRPC. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: LocalService account and callback
    ... works great when I set-up Everyone has Access Permission. ... "Alexander Nickolov" wrote: ... > client is itself a COM server, ... >> and call ImpersonateClient? ...
    (microsoft.public.vc.atl)
  • Re: [Full-disclosure] Question for the Windows pros
    ... The ImpersonateClient API does not require that credentials are embedded ... Another issue would be an unprivileged client with the ImpersonateClient ... privilege, if an attacker manages to make a process with admin rights ...
    (Full-Disclosure)
  • Re: LocalService account and callback
    ... Your client has to call CoInitializeSecurity and allow access ... > and call ImpersonateClient? ...
    (microsoft.public.vc.atl)