Sunday, January 6, 2008

You can terminate a higher integrity process.

Integrity levels have been publicized a lot like a "No-Write-Up" technology. It means that you can't write to objects with a higher integrity level than your token. But there is more to it. Microsoft also implemented "No-Read-Up" and "No-Execute-Up" and you can use them on your objects. It is even used today for processes, by default they have a No-Read-Up and No-Write-Up mandatory label. It would have been too much of a security hole to be able to read the process memory of a higher integrity level process.

No-Execute-Up is not present though. What does it buy us?

If it was on Windows XP, then not much, but on Vista the Generic Mapping structures have changed. Let's take a look at them side by side for the "Process" object type on XP and Vista.


Windows XP Windows Vista
+-----------------+-------------------+---------------------------+
GENERIC_EXECUTE READ_CONTROL READ_CONTROL
SYNCHRONIZE SYNCHRONIZE
TERMINATE
QUERY_LIMITED_INFORMATION
+-----------------+-------------------+---------------------------+
GENERIC_READ VM_READ VM_READ
QUERY_INFORMATION QUERY_INFORMATION
READ_CONTROL READ_CONTROL
+-----------------+-------------------+---------------------------+
GENERIC_WRITE CREATE_THREAD CREATE_THREAD
VM_OPERATION VM_OPERATION
VM_WRITE VM_WRITE
DUP_HANDLE DUP_HANDLE
CREATE_PROCESS CREATE_PROCESS
SET_QUOTA SET_QUOTA
SET_INFORMATION SET_INFORMATION
SUSPEND_RESUME SUSPEND_RESUME
READ_CONTROL READ_CONTROL
TERMINATE
+-----------------+-------------------+---------------------------+
note: the prefix PROCESS_ has been removed.
http://msdn2.microsoft.com/en-us/library/ms684880(VS.85).aspx


As you can see GENERIC_EXECUTE has changed and now gives TERMINATE access. You can then kill processes with a higher integrity level!

For completeness, PROCESS_QUERY_LIMITED_INFORMATION allows you to query the full process image name.

No comments: