Sunday, January 6, 2008

You can terminate a higher integrity process.

Integrity levels have been publicized a lot like a "No-Write-Up" technology. It means that you can't write to objects with a higher integrity level than your token. But there is more to it. Microsoft also implemented "No-Read-Up" and "No-Execute-Up" and you can use them on your objects. It is even used today for processes, by default they have a No-Read-Up and No-Write-Up mandatory label. It would have been too much of a security hole to be able to read the process memory of a higher integrity level process.

No-Execute-Up is not present though. What does it buy us?

If it was on Windows XP, then not much, but on Vista the Generic Mapping structures have changed. Let's take a look at them side by side for the "Process" object type on XP and Vista.


                   Windows XP          Windows Vista
+-----------------+-------------------+---------------------------+
 GENERIC_EXECUTE   READ_CONTROL        READ_CONTROL
                   SYNCHRONIZE         SYNCHRONIZE
                                       TERMINATE
                                       QUERY_LIMITED_INFORMATION
+-----------------+-------------------+---------------------------+
 GENERIC_READ      VM_READ             VM_READ
                   QUERY_INFORMATION   QUERY_INFORMATION
                   READ_CONTROL        READ_CONTROL
+-----------------+-------------------+---------------------------+
 GENERIC_WRITE     CREATE_THREAD       CREATE_THREAD
                   VM_OPERATION        VM_OPERATION
                   VM_WRITE            VM_WRITE
                   DUP_HANDLE          DUP_HANDLE
                   CREATE_PROCESS      CREATE_PROCESS
                   SET_QUOTA           SET_QUOTA
                   SET_INFORMATION     SET_INFORMATION
                   SUSPEND_RESUME      SUSPEND_RESUME
                   READ_CONTROL        READ_CONTROL
                   TERMINATE
+-----------------+-------------------+---------------------------+
note: the prefix PROCESS_ has been removed.
http://msdn2.microsoft.com/en-us/library/ms684880(VS.85).aspx


As you can see GENERIC_EXECUTE has changed and now gives TERMINATE access. You can then kill processes with a higher integrity level!

For completeness, PROCESS_QUERY_LIMITED_INFORMATION allows you to query the full process image name.

Posted by nsylvain at 4:20 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)