Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Determine if process has been started with limited priviliges

Topic created on: January 18, 2013 17:37 CST by drew77 .

Determine if process has been started with limited priviliges

I posted this at MSDN Visual C++ , but no one understands.

This is the batch file I am using to start FF with limited privileges from an Admin account.

:: LimitedUserFirefox.bat Run firefox as a limited user from an admin account
::  
:: Put this in C:\WINDOWS
::
C:\WINDOWS\system32\psexec.exe -high -d -e -l  "C:\Program Files\Mozilla Firefox\firefox.exe"

I would like to write a program that would determine if a particular process such as firefox.exe, is running with less than admin credentials.

I hope that made sense.

Thanks.

You can read about psexec.exe here.

http://technet.microsoft.com/en-us/sysinternals/bb897553

  anonymouse     January 19, 2013 04:24.21 CST
why write one unless it is for fun when you have one check accesschk from sysinternals and you will find
Builtin\Administrators group is stripped in the TOKEN_INFORMATION when you execute any process with psexec -l

a sample below



drew77:\>dir /b
admsgbox.exe
msgbox.exe

drew77:\>fc admsgbox.exe msgbox.exe
Comparing files admsgbox.exe and MSGBOX.EXE
FC: no differences encountered


drew77:\>..\psexec.exe -high -d -e -l msgbox.exe

PsExec v1.94 - Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

msgbox.exe started with process ID 3988.

drew77:\>admsgbox.exe

drew77:\>..\accesschk.exe -f -p msgbox.exe

Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

[3988] msgbox.exe
  RW XXXXX\Admin
  RW NT AUTHORITY\SYSTEM
  Token:
    User: XXXXX\Admin
    Groups:
      XXXXX\None                                       MANDATORY
      Everyone                                         MANDATORY
      XXXXX\Debugger Users                             MANDATORY
      XXXXX\HelpLibraryUpdaters                        MANDATORY
      BUILTIN\Administrators                           DENY,OWNER,MANDATORY
      BUILTIN\Users                                    MANDATORY
      NT AUTHORITY\INTERACTIVE                         MANDATORY
      NT AUTHORITY\Authenticated Users                 MANDATORY
      XXXXX\S-1-5-5-0-63320-Admin                      LOGONID,MANDATORY
      LOCAL                                            MANDATORY
    Privileges:
      SeUndockPrivilege                                ENABLED
      SeShutdownPrivilege                              DISABLED
      SeChangeNotifyPrivilege                          ENABLED

drew77:\>..\accesschk.exe -f -p admsgbox.exe

Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

[3656] admsgbox.exe
  RW XXXXX\Admin
  RW NT AUTHORITY\SYSTEM
  Token:
    User: XXXXX\Admin
    Groups:
      XXXXX\None                                       MANDATORY
      Everyone                                         MANDATORY
      XXXXX\Debugger Users                             MANDATORY
      XXXXX\HelpLibraryUpdaters                        MANDATORY
      BUILTIN\Administrators                           OWNER,MANDATORY
      BUILTIN\Users                                    MANDATORY
      NT AUTHORITY\INTERACTIVE                         MANDATORY
      NT AUTHORITY\Authenticated Users                 MANDATORY
      XXXXX\S-1-5-5-0-63320-Admin                      LOGONID,MANDATORY
      LOCAL                                            MANDATORY
    Privileges:
      SeAssignPrimaryTokenPrivilege                    DISABLED
      SeCreateTokenPrivilege                           DISABLED
      SeIncreaseQuotaPrivilege                         DISABLED
      SeTcbPrivilege                                   DISABLED
      SeTakeOwnershipPrivilege                         DISABLED
      SeChangeNotifyPrivilege                          ENABLED
      SeSecurityPrivilege                              DISABLED
      SeBackupPrivilege                                DISABLED
      SeRestorePrivilege                               DISABLED
      SeSystemtimePrivilege                            DISABLED
      SeShutdownPrivilege                              DISABLED
      SeRemoteShutdownPrivilege                        DISABLED
      SeDebugPrivilege                                 DISABLED
      SeSystemEnvironmentPrivilege                     DISABLED
      SeSystemProfilePrivilege                         DISABLED
      SeProfileSingleProcessPrivilege                  DISABLED
      SeIncreaseBasePriorityPrivilege                  DISABLED
      SeLoadDriverPrivilege                            ENABLED
      SeCreatePagefilePrivilege                        DISABLED
      SeUndockPrivilege                                ENABLED
      SeManageVolumePrivilege                          DISABLED
      SeImpersonatePrivilege                           ENABLED
      SeCreateGlobalPrivilege                          ENABLED

drew77:\>

  drew77     January 19, 2013 10:09.25 CST
Thanks for the info.

I want to check if I started firefox as a limited user while it is running under an administrative account.

I hope that made sense.

  waleedassar     January 20, 2013 06:00.28 CST
You have functions like OpenThreadToken and CheckTokenMembership.

  anonymouse     January 21, 2013 05:44.02 CST
> drew77: > I hope that made sense.

well not exactly
i dont think psexec runs anything in limited user account if that is what you mean

it iirc uses CreateRestrictedToken to strip the admin some perms and creates a process (the owner would still be admin but with restricted permissions)

to run anything as a limited user account you need an account as limited user you should have logged into it atleast once physically (ie in say xp c:\documents and settings\<limited user>\ should exist
and then in your admin account you should use runas in commandline

viz runas \user:<hostname>\user <firefox>

to verify i dont think you need to write your own whatever when n number of utilities exist

like accesscheck / subinacl etc

and if you still want to do it as a learning exercise or whatever

all it takes is 2 apis or 4 if you want SACL too

openprocess () and GetSecurityInfo() for ownerSID,GroupSid,and DACL

add
openThreadToken and AdjustTokenPrivileges for SE_SECURTIY_NAME privilege and OpenProcess with ACCESS_SYSTEM_SECURITY and GetSecurityInfo()
if you need SACL as Well

(actually i have never practically seen a process having sacl it always return 0 as far as i know
so just 2 apis are sufficient

and use windbg
!sid !acl on the returned buffers when broken in at appropriate place :) for detailed description

(any security experts out there is there a scenerio where a SACL is returned for a running process in xp ??)

a simple code and result for a limited user msgbox


#include <windows.h>
#include <stdio.h>
#include <AclAPI.h>

DWORD SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
LUID luid;
BOOL bRet=FALSE;
if ((LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) !=FALSE )
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
if ( bEnablePrivilege == TRUE)
{
tp.Privileges[0].Attributes= SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes= 0;
}
bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL);
if (bRet == 0)
{
return GetLastError();
}
else if (GetLastError() == ERROR_SUCCESS)
{
return TRUE;
}
else if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}
}
return bRet;
}

int main (int argc , char *argv[] )
{
if (argc !=2 )
{
printf ( "provide Pid of a running process in base 10 radix\n");
exit(FALSE);
}
HANDLE hToken;
DWORD setpriret;
if ((OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))!=FALSE)
{
if (
(( setpriret = SetPrivilege(hToken, SE_SECURITY_NAME, TRUE)) != TRUE) ||
(( setpriret = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) != TRUE)
)
{
printf("Set privilege returned error %x\n",setpriret);
exit(FALSE);
}
CloseHandle(hToken);
}
HANDLE hProcess;
if (( hProcess =  OpenProcess(
STANDARD_RIGHTS_REQUIRED | PROCESS_QUERY_INFORMATION | ACCESS_SYSTEM_SECURITY,
FALSE,
atoi(argv[1])
)) == NULL )
{
printf("Open Process (Pid %d) Failed with %d\n",atoi(argv[1]) ,GetLastError());
exit(FALSE);
}
PSID ppsidOwner = 0;
PSID ppsidGroup = 0;
PACL ppDacl = 0;
PACL ppSacl = 0;
PSECURITY_DESCRIPTOR ppSecurityDescriptor = 0;
DWORD getsecinfret = 0;
if (( getsecinfret = GetSecurityInfo(
hProcess,
SE_FILE_OBJECT,  // what is it for process
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION ,
&ppsidOwner,
&ppsidGroup,
&ppDacl,
&ppSacl,
&ppSecurityDescriptor
)) != ERROR_SUCCESS )
{
printf("GetSecurityInfo Failed with %d\n",getsecinfret);
exit(FALSE);
}
printf(
"Success\n"
"ppsidowner = %x\n"
"ppsidGroup = %x\n"
"ppDacl = %x\n"
"ppSacl = %x\n"
"ppSecurityDescriptor = %x\n",
ppsidOwner,
ppsidGroup,
ppDacl,
ppSacl,
ppSecurityDescriptor
);
LocalFree(ppSecurityDescriptor);
exit(TRUE);
}


run it in windbg or cdb wit this command

cdb -c "bp 401208 \"!sid poi(esp+4) 1;!sid poi(esp+8) 1;!acl poi(esp+c) 1;q\";g;" getsecing.exe 2664

it sets a bp on last printf (address 401208 is in my specific binary ) prints the sid of owner&group, acl of dacl, for a given pid and quits

SID is: S-1-5-21-602162358-1801674531-1417001333-1011 (User: xxxxxx\limiteduser)
SID is: S-1-5-21-602162358-1801674531-1417001333-513 (Group: xxxxxx\None)
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1       : 0x0
ACL is: ->AclSize    : 0x40
ACL is: ->AceCount   : 0x2
ACL is: ->Sbz2       : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x24
ACL is: ->Ace[0]: ->Mask : 0x001f0fff
ACL is: ->Ace[0]: ->SID: S-1-5-21-602162358-1801674531-1417001333-1011 (User: xxxxxx\limiteduser)

ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x14
ACL is: ->Ace[1]: ->Mask : 0x001f0fff
ACL is: ->Ace[1]: ->SID: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)

or use subinacl.exe (resource kit download)


=================================
+Process limusemsgbox.exe - 2664
=================================
/control=0x0
/owner             =xxxxxx\limiteduser
/primary group     =xxxxxx\none
/audit ace count   =0
/perm. ace count   =2
/pace =xxxxxx\limiteduser        ACCESS_ALLOWED_ACE_TYPE-0x0 AccessMask=0x1f0fff
/pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0 AccessMask=0x1f0fff


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : limusemsgbox.exe - 2664

  drew77     January 21, 2013 18:56.39 CST
Thanks  anonymouse.

After seeing your code, I realize that it's pretty complex.

I code in assembly, I think I'll convert your code and study
it.

Note: Registration is required to post to the forums.

There are 31,056 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit