Windows Security

NTDEV
1

hello all,

This is my first time posting to this list. I came here because I need some help. The scenario goes as follows:

I have a windows xp machine with two accounts:
user_admin - belonging to administrators group
user_limited - limited account

  • the limited user creates a file c:\test.txt
  • the same user takes ownership of the file and sets full permissions just for itself, deleting all other permissions.

My target is to write a piece of code that would access this file, take ownership and get full permissions for user_admin (being logged on this account).

With windows explorer I managed to do this. It first tells me that I can only modify ownership and System security (SACL List). I do this, click ok and on a second try it lets me edit the permissions too.

I have a hard time doing this from my code as I can’t seem to manage to get a valid handle to the file in the first place.

I tried to put WRITE_OWNER on the CreateFile ACCESS_MASK but with no luck.

I also monitored what windows explorer does with Process Monitor from Sysinternals. The log looks as follows:

“5:52:51.6019421 AM”,“explorer.exe”,“1040”,“IRP_MJ_CREATE”,“C:\test.txt”,“SUCCESS”,“Desired Access: Write Owner, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: E540E88861574DD-test-, OpenResult: Opened”
“5:52:51.6020963 AM”,“explorer.exe”,“1040”,“IRP_MJ_SET_SECURITY”,“C:\test.txt”,“SUCCESS”,“Information: Owner”
“5:52:51.6023078 AM”,“explorer.exe”,“1040”,“IRP_MJ_CLEANUP”,“C:\test.txt”,“SUCCESS”,“”
“5:52:51.6024368 AM”,“explorer.exe”,“1040”,“IRP_MJ_CLOSE”,“C:\test.txt”,“SUCCESS”,“”

Any ideas regarding this would be highly appreciated.

thanks guys!

Mihai Cimpoesu,
BitDefender Senior Virus Researcher

2

Before using createfile while cant you use *"SetFileAttributes* " to change
the file attribute??

On Tue, Sep 15, 2009 at 7:15 PM, wrote:

> hello all,
>
> This is my first time posting to this list. I came here because I need some
> help. The scenario goes as follows:
>
> I have a windows xp machine with two accounts:
> user_admin - belonging to administrators group
> user_limited - limited account
>
> - the limited user creates a file c:\test.txt
> - the same user takes ownership of the file and sets full permissions just
> for itself, deleting all other permissions.
>
> My target is to write a piece of code that would access this file, take
> ownership and get full permissions for user_admin (being logged on this
> account).
>
> With windows explorer I managed to do this. It first tells me that I can
> only modify ownership and System security (SACL List). I do this, click ok
> and on a second try it lets me edit the permissions too.
>
> I have a hard time doing this from my code as I can’t seem to manage to get
> a valid handle to the file in the first place.
>
> I tried to put WRITE_OWNER on the CreateFile ACCESS_MASK but with no luck.
>
> I also monitored what windows explorer does with Process Monitor from
> Sysinternals. The log looks as follows:
>
> “5:52:51.6019421
> AM”,“explorer.exe”,“1040”,“IRP_MJ_CREATE”,“C:\test.txt”,“SUCCESS”,“Desired
> Access: Write Owner, Disposition: Open, Options: Open Reparse Point,
> Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a,
> Impersonating: E540E88861574DD-test-, OpenResult: Opened”
> “5:52:51.6020963
> AM”,“explorer.exe”,“1040”,“IRP_MJ_SET_SECURITY”,“C:\test.txt”,“SUCCESS”,“Information:
> Owner”
> “5:52:51.6023078
> AM”,“explorer.exe”,“1040”,“IRP_MJ_CLEANUP”,“C:\test.txt”,“SUCCESS”,“”
> “5:52:51.6024368
> AM”,“explorer.exe”,“1040”,“IRP_MJ_CLOSE”,“C:\test.txt”,“SUCCESS”,“”
>
> Any ideas regarding this would be highly appreciated.
>
> thanks guys!
>
> Mihai Cimpoesu,
> BitDefender Senior Virus Researcher
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

3

Why is SetFileAttributes relevant here? I need permissions as in acces to DACL list. The single problem is that I can’t open a handle to go further from there.

I also enabled SE_SECURITY_NAME, SE_DEBUG_NAME, SE_BACKUP_NAME and SE_RESTORE_NAME, but also with no luck.

4

SetFileSecurity();

This is user mode stuff; it doesn’t really belong on this list.

Good luck,

mm

5

I know it does not belong here, but I tried it anyway… maybe someone has a hint. For SetFileSecurity I need a handle to the file whilst the CreateFile call it gives me ACCESS_DENIED every time.

thanks anyway!

6

You don’t need a handle:

BOOL WINAPI SetFileSecurity(
__in LPCTSTR lpFileName,
__in SECURITY_INFORMATION SecurityInformation,
__in PSECURITY_DESCRIPTOR pSecurityDescriptor
);

-OR-

DWORD WINAPI SetNamedSecurityInfo(
__in LPTSTR pObjectName,
__in SE_OBJECT_TYPE ObjectType,
__in SECURITY_INFORMATION SecurityInfo,
__in_opt PSID psidOwner,
__in_opt PSID psidGroup,
__in_opt PACL pDacl,
__in_opt PACL pSacl
);

Maybe you should try reading the docs.

mm

7

hi Mark,

Thanks for your reply. This just solved my problem.

Mihai Cimpoesu,
Senior Virus Researcher

Tuesday, September 15, 2009, 5:17:15 PM, you wrote:

You don’t need a handle:

BOOL WINAPI SetFileSecurity(
__in LPCTSTR lpFileName,
__in SECURITY_INFORMATION SecurityInformation,
__in PSECURITY_DESCRIPTOR pSecurityDescriptor
);

-OR-

DWORD WINAPI SetNamedSecurityInfo(
__in LPTSTR pObjectName,
__in SE_OBJECT_TYPE ObjectType,
__in SECURITY_INFORMATION SecurityInfo,
__in_opt PSID psidOwner,
__in_opt PSID psidGroup,
__in_opt PACL pDacl,
__in_opt PACL pSacl
);

Maybe you should try reading the docs.

mm

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer