Re: Privlidge escellation

From: Darin Rousseau (DarinRousseau_at_fssinet.net)
Date: 08/21/03

  • Next message: Keith A French: "Re: M$ Virus takes down Grid" 
    Date: Wed, 20 Aug 2003 16:28:22 -0600

    I'm not sure of any docs of that nature, but what you are commenting about
    doesn't work the way you think it does (at least in that simple form);

    When a SYSTEM-account service is running and posting (or sending) messages
    to a USER GUI app, the messages are applied to the UI's %user% message
    queue. When the User GUI application processes the message queue, the
    messages are retrieved, and are therefore in the context of the local %user%
    account, not of the SYSTEM account.

    The message pump of the application is responsible for processing the
    messages, not the sending service (in this case messages are dispatched at
    the %user% level instead of the calling SYSTEM level).

    HOWEVER, if the sending application sent a process handle in the message,
    the caller could impersonate the caller at the caller's security level,
    effectively changing the security level of the UI. This means, however that
    the caller app and sender app have to be quite versed with each other, and
    the protocol must be defined, so you can't take over some third party app
    this way.

    Perhaps instead of going through all that work, it may be best just to do
    the dirty work at the service level! 

    -- 
Darin Rousseau
DarinRousseau@fssinet.net
Fundamental Software Solutions Inc
http://www.fssinet.net/
" Duncan McNutt .[FTSE]" <pitmaster@127.0.0.701> wrote in message
news:%23ZoigXkZDHA.1004@TK2MSFTNGP12.phx.gbl...
> Hi,
>
>   Where would be a good source for designing secure apps, with respect to
> say  a UI for a service that both run at different levels, say a service
> runs as SYSTEM and the UI runs as %USER%.  Simply by grabbing the hWnd of
> the UI and then subclassing and injecting WM_ messages into the event
queue
> with SendMessage or PostMessage etc to gain SYSTEM privs.
>
> --
>
> Duncan McNutt
> Microsoft Product Deactivation Team
> --
>
>
>
  • Next message: Keith A French: "Re: M$ Virus takes down Grid"

    Relevant Pages

    • Re: Creating a simple windows messaging app
      ... a broker app that receives packets from a canbus and pushes them out to ... each application thread a copy of the packet. ... appThread responds to: ... consists of putting the message into a queue to be sent to the bus (no ...
      (microsoft.public.vc.mfc)
    • Re: Creating a simple windows messaging app
      ... a broker app that receives packets from a canbus and pushes them out to ... each application thread a copy of the packet. ... appThread responds to: ... consists of putting the message into a queue to be sent to the bus (no ...
      (microsoft.public.vc.mfc)
    • Re: IOCP critical sections and mutexes
      ... those are pulled from the queue via GetQueuedCompletionStatus ... BTW, for the record, both the user mode accessible mutex and critical ... My packets never go over 2k in size. ... then pushes it in a queue that will be later processed by my main app ...
      (microsoft.public.win32.programmer.kernel)
    • Re: Message queues
      ... I can see two messages in the queue on david-1. ... The server app creates new entries but still the MessageArrived handler is not called and a bogus exception is thrown. ... string deviceIP = String.Empty; ... I now have a simple app written for the compact framework on an HP iPAQ HP 2790. ...
      (microsoft.public.dotnet.framework.compactframework)
    • Re: Message queues
      ... I can run the server app on david-1 at the same time as the ... string deviceIP = String.Empty; ... MessageQueue queue = source as MessageQueue; ... CallerIDClient.CallerID callerid = message.Body as ...
      (microsoft.public.dotnet.framework.compactframework)