Re: Windows NT does not check permissions after HANDLEs are open
From: Blue Boar (BlueBoar@thievco.com)Date: 08/30/01
- Previous message: Michael J. Cannon: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- In reply to: c0ncept@hushmail.com: "Windows NT does not check permissions after HANDLEs are open"
- Next in thread: Syzop: "Re: Windows NT does not check permissions after HANDLEs are open"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Aug 2001 21:48:05 -0700 From: Blue Boar <BlueBoar@thievco.com> Subject: Re: Windows NT does not check permissions after HANDLEs are open To: vuln-dev@securityfocus.com Message-id: <3B8DC585.11D34D@thievco.com>
c0ncept@hushmail.com wrote:
>
> The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights.
> The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and permissions on the objecect subsiquently change, the original requestor of the object retains the original access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al].
>
I believe this is documented, though perhaps in a different context.
If you, as a domain admin, have given someone a right, or group
membership, etc... and they log in with that... they hang onto
it for the entire time they are logged in. It becomes part of
the "security token". You can yank the right, but they hang onto
it until they logout, or you do a forced logout. This is from
the MS certification classes.
I think the same applies in your example. There's probably a way
to force the handle to go away, then they'd have no rights. Of course,
the program using the handle would probably fall over dead, too...
BB
- Previous message: Michael J. Cannon: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- In reply to: c0ncept@hushmail.com: "Windows NT does not check permissions after HANDLEs are open"
- Next in thread: Syzop: "Re: Windows NT does not check permissions after HANDLEs are open"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
