作者:刺
让我们来复习一篇我在6、7年前写的文章,真实时间已经不可考了,因为我也忘记了。
当时写这篇文章的目的是为了学习和研究NT下权限带来的一些安全问题,不过我当时没有深入进行下去。
最近出的exploit: Windows 2003 Server Token Kidnapping 问题,又是这方面的问题,与SeImpersonatePrivilege和token关系紧密。
其实NT核心里的 权限---令牌---ACL 这一体系还会有很多其他的问题,以往深究的人很少,如果想研究下去的话,可以参考下我下面这篇文章。研究方法应该类似。
由于写文章的时候还比较年轻,大概也就10多岁,笔法还很稚嫩,请勿见笑。在文章中也提到了一些老朋友的名字,真是怀念他们啊。图片已经丢失了,不过并不影响阅读。
浅谈NT的ACL,令牌,权限与安全性问题
-----另一种克隆帐号的途径
作者:刺(aXis)
来源:www.ph4nt0m.net(当时还在用这个域名,也有网上流传的文章里用的是www.3389.net的域名,曾经也是幻影最初的域名之一。)
摘要:关于nt的acl,token,and privilege的,以及通过privilege绕过acl,达到访问文件的目的。可以说是另一种克隆administrator的方法,不过更隐蔽, 利用起来难度较大,需要绕过检测才行,目前取的的突破是利用权限绕过acl。
关键字:ACL,ACE,DACL,TOKEN,SID,PRIVILEGE
一.基本概念(这部分介绍的是令牌,ACL等基本概念,是为第二部分做准备,如果你已经了解其内容,请跳过这一部分)
1.什么是令牌(TOKEN)
当用户登录到Windows NT/2000/XP,同时通过了身份认证,此时将会由系统为该用户分配一个令牌。令牌是一个数据结构,用于由所有该用户激活的进程和线程。令牌的结构如下图:
Token source
Impersonation Type
Token ID
Authentication ID
Modified ID
Expiration Time
Default Primary Group
Default DACL
User Account SID
Group 1 SID
……
Group n SID
Restricted SID 1
……
Restricted SID n
Privilege 1
……
Prililege n
这样看不太容易理解。我们来看一个实例,使用win2000 resource kit中的whoami.exe来查看当前用户的访问令牌(Access Token)中的详细信息
C:\>whoami /all
[User] = "DARKDEAMON\Administrator" S-1-5-21-1409082233-1957994488-47230797
1-500
[Group 1] = "DARKDEAMON\None" S-1-5-21-1409082233-1957994488-472307971-513
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "BUILTIN\Administrators" S-1-5-32-544
[Group 4] = "BUILTIN\Users" S-1-5-32-545
[Group 5] = "NT AUTHORITY\INTERACTIVE" S-1-5-4
[Group 6] = "NT AUTHORITY\Authenticated Users" S-1-5-11
[Group 7] = "LOCAL" S-1-2-0
(X) SeChangeNotifyPrivilege =
(O) SeSecurityPrivilege =
(O) SeBackupPrivilege =
(O) SeRestorePrivilege =
(O) SeSystemtimePrivilege =
(O) SeShutdownPrivilege =
(O) SeRemoteShutdownPrivilege =
(O) SeTakeOwnershipPrivilege =
(O) SeDebugPrivilege =
(O) SeSystemEnvironmentPrivilege =
(O) SeSystemProfilePrivilege =
(O) SeProfileSingleProcessPrivilege =
(O) SeIncreaseBasePriorityPrivilege =
(X) SeLoadDriverPrivilege =
(O) SeCreatePagefilePrivilege =
(O) SeIncreaseQuotaPrivilege =
(X) SeUndockPrivilege =
(O) SeTcbPrivilege =
C:\>
这就是我的令牌中的信息,它包括我的SID,属于的组,具有的权限的详细列表等信息。所以可见,令牌决定了一个用户在一台计算机上所具有的能力。
2.安全性标志符(SID)
SID是在创建一个用户或组的时候由系统分配的,是唯一的。当一个本地用户登录时,SID将由系统从SAM中的用户数据库中取出。
关于SID的结构可以参照《INSIDE WINDOWS2000》里的一段:
A SID is a variable-length numeric value that consists of a SID structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values.
下面是一些系统内置的SID
Well-Known SIDs
SID
Group
Use
S-1-1-0
Everyone
A group that includes all users.
S-1-2-0
Local
Users who log on to terminals locally (physically) connected to the system.
S-1-3-0
Creator Owner ID
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable access-control entries (ACEs).
S-1-3-1
Creator Group ID
Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs.
SID结尾的数字是RID(relative identifier)。500表示是管理员组,GUEST组的是501
ADAM提出的克隆管理员帐号就是在SID上做手脚,把一个帐号的SID的RID克隆成500,这样系统就会认为是管理员了。
一个完整的SID的结构可以参看上面令牌中的SID。
S-1-5-21-1409082233-1957994488-472307971-500
3.什么是访问控制列表(ACL)
ACL(access control list)从字面的意思很好理解。一个系统通过ACL来判断用户对资源的何种程度的访问。由两种类型的ACL:DACL(Discretionary Access Control List)和SACL(System Access Control List)。DACL包括户和组的列表,以及相应的权限,允许或是拒绝,用来确定对资源的访问权限。SACL则用来确定安全资源的审核策略。ACL由零个 或多个ACE(Access Control Entries)组成,一个ACE包括一个SID和该SID可访问资源的描述,比如允许和拒绝,拒绝优先于允许。
在win2000 resource kit中有几个工具是关于acl的,较为典型的是xcacls。下面是一个用xcacls查看acl的例子
C:\Program Files\Resource Kit>xcacls whoami.exe
C:\Program Files\Resource Kit\whoami.exe BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\TERMINAL SERVER USER:C
C:\Program Files\Resource Kit>
其他的关于acl的工具还有svcacls.exe,showacls以及subinacl.exe等。这里不再一一赘述。
4.权限(privilege)
简单来说,权限是系统赋予用户的一定的权力,它们允许或者不允许某些影响整个计算机系统而非某一对象的特权操作。下面的表格列出了系统的一些权限和功能。
Privilege
Windows Privilege
Description
SeTcbPrivilege
Act as part of the operating system
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege.
SeMachineAccountPrivilege
Add computers to a domain
Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain.
SeBackupPrivilege
Back up files and directories
Allows the user to circumvent file and directory permissions to back up the system. The privilege is checked only when an application attempts access through the NTFS backup application programming interface (API). Oth
erwise, normal file and directory permissions apply.
By default, this privilege is assigned to Administrators and Backup Operators. See also Restore files and directories in this table.
SeChangeNotifyPrivilege
Bypass traverse checking
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.
SeSystemTimePrivilege
Change the system time
Allows the user to set the time for the internal clock of the computer.
By default, this privilege is assigned to Administrators and Power Users.
SeCreatePagefilePrivilege
Create a page filepagefile
Allows the user to create and change the size of a page file.
By default, this privilege is assigned to Administrators.
SeCreateTokenPrivilege
Create a token object
Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
SeCreatePermanentPrivilege
Create permanent shared objects
Allows a process to create a directory object in the Windows 2000 object manager.
SeDebugPrivilege
Debug programs
Allows the user to attach a debugger to any process.
By default, this privilege is assigned to Administrators.
SeEnableDelegationPrivilege
Enable computer and user accounts to be trusted for delegation
Allows the user to change the Trusted for Delegation setting on a User or Computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
SeRemoteShutdownPrivilege
Force shutdown from a remote system
Allows a user to shut down a computer from a remote location on the network. See also Shut down the system in this table.
By default, this privilege is assigned to Administrators.
SeAuditPrivilege
Generate security audits
Allows a process to create, generate, and add entries in the security log. The security log is used to trace unauthorized system access. See also Manage auditing and security log in this table.
SeIncreaseQuotaPrivilege
Increase quotas
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack.
By default, this privilege is assigned to Administrators.
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box.
By default, this privilege is assigned to Administrators.
SeLoadDriverPrivilege
Load and unload device drivers
Allows a user to install and uninstall Plug and Play device drivers. Device drivers that are not Plug and Play are not affected by this privilege and can be installed only by Administrators. Because device drivers run as trusted (highly privileged) programs, this privilege can be misused to install hostile programs and give them destructive access to resources.
By default, this privilege is assigned to Administrators.
SeLockMemoryPrivilege
Lock pages in memory
Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege can significantly degrade system performance. This privilege is obsolete and is therefore never selected.
SeSecurityPrivilege
Manage auditing and security log
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege can also view and clear the security log from Event Viewer.
By default, this privilege is assigned to Administrators.
SeSystemEnvironmentPrivilege
Modify firmware environment values
Allows modification of system environment variables either by a process through an API or by a user through System Properties.
By default, this privilege is assigned to Administrators.
SeProfileSingleProcessPrivilege
Profile a single process
Allows a user to run Microsoft® Windows NT® and Microsoft® Windows® 2000 performance-monitoring tools to monitor the performance of nonsystem processes.
By default, this privilege is assigned to Administrators and Power Users.
SeSystemProfilePrivilege
Profile system performance
Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes.
By default, this privilege is assigned to Administrators.
SeUndockPrivilege
Remove computer from docking station
Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
By default, this privilege is assigned to Administrators, Power Users, and Users.
SeAssignPrimaryTokenPrivilege
Replace a process-level token
Allows a parent process to replace the access token associated with a child process.
SeRestorePrivilege
Restore files and directories
Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. See also Back up files and directories in this table.
By default, this privilege is assigned to Administrators and Backup Operators.
SeShutdownPrivilege
Shut down the system
Allows a user to shut down the local computer. See also Force shutdown from a remote system in this table. In Windows 2000 Professional:
By default, this privilege is assigned to Administrators, Backup Operators, Power Users, and Users. In Windows 2000 Server:
By default, this privilege is not assigned to Users, only to Administrators, Backup Operators, and Power Users.
SeSynchAgentPrivilege
Synchronize directory service data
Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers.
By default, this privilege is assigned to Administrators and LocalSystem accounts on domain controllers.
SeTakeOwnershipPrivilege
Take ownership of files or other objects
Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
By default, this privilege is assigned to Administrators.
二.一些安全问题
1.利用备份权限绕过访问控制
系统备份员(Backup Operators)和管理员(Administrator)具有一项权限:SeBackupPrivilege
利用该权限可以访问正常情况下被拒绝访问的文件。当在ACL中设置拒绝某帐号读取文件时,一个备份程序可以在调用Createprocess时,通过设置FILE_FLAG_BACKUP_SEMANTICS的标志来对文件进行读取。
按照《writng secure code》一书给出的代码如下
1. 假设你具有SeBackupPrivilege权限。
2. 创建一个txt文件,内容为:writings this for cj
3. 添加一个全部拒绝该用户访问的ACE。
现在,试着打开该文件,将会出现拒绝访问的提示。现在,编译下面这段代码(来自《writng secure code》)
/*
WOWAccess.cpp
*/
#include <stdio.h>
#include <windows.h>
int EnablePriv (char *szPriv) {
HANDLE hToken = 0;
if (!OpenProcessToken
(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
printf("OpenProcessToken() failed -> %d", GetLastError());
return -1;
}
TOKEN_PRIVILEGES newPrivs;
if (!LookupPrivilegeValue (NULL, szPriv,
&newPrivs.Privileges[0].Luid)) {
printf("LookupPrivilegeValue() failed -> %d", GetLastError());
CloseHandle (hToken);
return -1;
}
newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
newPrivs.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &newPrivs, 0, NULL, NULL)) {
printf("AdjustTokenPrivileges() failed -> %d", GetLastError());
CloseHandle (hToken);
return -1;
}
CloseHandle (hToken);
return 0;
}
void DoIt(char *szFileName, DWORD dwFlags) {
printf("\n\nAttempting to read %s, with 0x%x flags\n",
szFileName, dwFlags);
HANDLE hFile = CreateFile(szFileName,
GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING,
dwFlags,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile() failed -> %d", GetLastError());
return;
}
char buff[128];
DWORD cbRead=0, cbBuff = sizeof buff;
ZeroMemory(buff, sizeof buff);
if (ReadFile(hFile, buff, cbBuff, &cbRead, NULL)) {
printf("Success, read %d bytes\n\nText is: %s",
cbRead, buff);
} else {
printf("ReadFile() failed -> %d", GetLastError());
}
CloseHandle(hFile);
}
void main(int argc, char* argv[]) {
if (argc < 2) {
printf("Usage: %s <filename>", argv[0]);
return;
}
// Need to enable backup priv first.
if (EnablePriv(SE_BACKUP_NAME) == -1)
return;
// Try with no backup flag - should get access denied.
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL);
// Try with backup flag - should work!
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL │ FILE_FLAG_BACKUP_SEMANTICS);
}
运行情况如下
C:\>bkp
Usage: bkp <filename>
C:\>bkp test.txt
Attempting to read test.txt, with 0x80 flags
CreateFile() failed -> 5
Attempting to read test.txt, with 0x2000080 flags
Success, read 20 bytes
Text is: writings this for cj
C:\>
如上,使用了备份的标志后(with 0x2000080 flags)就可以访问开始拒绝访问的文件了。
2.利用SeTakeOwnershipPrivilege权限绕过访问控制
在我的计算机上,tt是一个普通的user帐号,当给他添加上SeTakeOwnershipPrivilege后,就可以绕过原来的访问控制,比如,对 system32目录下就可以添加完全控制的ACE,从而可以任意复制文件。对Document and Settings目录下也可以如法炮制,那么,给管理员下个套就是很简单的事情了。下面是实现过程
首先看下tt所具有的权限
C:\>whoami /all
[User] = "DARKDEAMON\tt" S-1-5-21-1409082233-1957994488-472307971-1013
[Group 1] = "DARKDEAMON\None" S-1-5-21-1409082233-1957994488-472307971-513
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "BUILTIN\Users" S-1-5-32-545
[Group 4] = "NT AUTHORITY\INTERACTIVE" S-1-5-4
[Group 5] = "NT AUTHORITY\Authenticated Users" S-1-5-11
[Group 6] = "LOCAL" S-1-2-0
(O) SeCreatePagefilePrivilege =
(O) SeAssignPrimaryTokenPrivilege =
(O) SeCreateTokenPrivilege =
(O) SeAuditPrivilege =
(X) SeUndockPrivilege =
(O) SeTakeOwnershipPrivilege =
(X) SeChangeNotifyPrivilege =
C:\>
如图,可以看到已经添加了SeTakeOwnershipPrivilege权限,下面,将演示如何取得对system32目录的完全控制
如图,这是修改前的结果.
下面我们来更改目录的所有者以得到完全控制.
现在可以看到更改所有者已经激活,所以我们只需要更改所有者就可以取得完全控制了。而在这个权限添加以前是无法进行这项操作的。
3.利用SeDebugPrivilege权限来做坏事
这个权限是极为危险的。它允许用户通过调试进程来访问秘密数据。典型的例子就是findpass。利用SeDebugPrivilege调试winlogon进程来获得明文存储在里面的域名和密码。
另一个典型的例子就是LSADUMP2,通过使用CreateRemoteThread函数来在LSASS.EXE进程中读取已经经过LSA解密的私有数据代码,从而查看LSA中存储的秘密信息。
4.更进一步
管理员(Administrator)默认具有16个权限
SeChangeNotifyPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
然而,SeTcbPrivilege和SeCreateTokenPrivilege两个权限管理员缺省是没有的. SeTcbPrivilege是具有操作系统的一部分来工作的权限,,SeCreateTokenPrivilege更为任意令牌创建权限!拥有了这两个 权限,用Lu0的话来说,就是可以超越administrator!
从而提出另一种克隆管理员帐号的途径:克隆管理员的权限,甚至包括SeTcbPrivilege和SeCreateTokenPrivilege两个权限!
在这里使用到RESOURCE KIT中的一个工具:ntrights.exe
通过这个工具可以给指定帐号和组添加权限。
下面是ntrights.exe的说明
ntrights {-r Right │ +r Right} -u UserOrGroup [-m \\Computer] [-e Entry] [-?]
Where:
-r Right
revokes Right from specified user or group. For a full list, see Windows 2000 Rights.
+r Right
grants Right to specified user or group. For a full list, see Windows 2000 Rights.
-u UserOrGroup
specifies the user or group for whom rights are to be granted or revoked.
-m \\Computer
specifies the computer (machine) on which to perform the operation. The default is the local computer.
-e Entry
adds a text string Entry to the computer's event log.
-?
displays a syntax screen at the command prompt.
下面是使用实例,
C:\>ntrights +r SeDebugPrivilege -u tt
Granting SeDebugPrivilege to tt ... successful
C:\>
这样就成功给tt添加了SeDebugPrivilege的权限,其他权限也可以照样添加。如果是去除权限,则只需把+r变成-r就可以了。
这样就实现了另一种意义上的克隆帐号,不过这样得到权限后仍然不能启动服务或添加帐号,比如net user ttt /add时发生拒绝错误,不知道这条命令是否会检查当前用户的SID,所以产生失败,还请高手指示。
三.后记
罗嗦写了这么多,是出于学习的目的,用wawa的话来说就是在写的过程中获益不少。由于水平有限,内容不免有错误之处,还请高手指正。
相关工具下载:
whoami: http://www.3389.net/download/whoami.exe
xcacls: http://www.3389.net/download/xcacl.exe
bkp: http://www.3389.net/download/bkp.exe
ntrights: http://www.3389.net/download/ntrights.exe
findpass: http://www.3389.net/download/findpass.zip
lsadump2: http://www.3389.net/download/lsadump2.zip
参考资料:
1.《INSIDE WINDOWS2000》
2.《WRITING SECURE CODE》
3.《Windows NT 4的安全结构》
4.《最小权限的挑战》
5.《超越ADMINISTRATOR》
6.《如何克隆管理员帐号》
7.Windows2000 Resource Kit Document
姓名:Chinadu
最近评论