From: Alon Bar-L. <alo...@gm...> - 2012-03-09 17:14:00
|
2012/3/9 Carsten Krüger <C.K...@gm...>: > Hello Heiko, > > HH> It is false that you cannot set a process' mandatory label to a higher > HH> integrity level than the one in the token. > > That's not what I said. > It's not possible to assign an higher level than the user have to a > users process. > > Users can have low and medium, administrators can have hive high and > system services can have system integerity level. > > HH> Instead I plan to secure the process (and the probably the pipe handle as > HH> well) against malicious operations by not granting the user any sophisticated > HH> access to it, i.e. you can only inject code if you can write the process' > HH> memory. This will be enforced by the security descriptor assigned to the > HH> process by the service at creation time. The service account will own the > HH> process object, so that the user cannot sneak his way in by modifying the > HH> DACL. > > Could you please create an tiny example exe for testing? > I think it didn't work either. > > I tried the following (disabled kernel process hacker): > 1. run an instance of notepad as user Carsten (normal windows user, no admin) > 2. entered "testtesttest" > 3. run an instance of process hacker as user Carsten > 4. tried to write to memory -> worked, closed process hacker > 5. run an instance of process hacker as admin and stripped permissions for user Carsten completly, closed process hacker > 6. run an instance of process hacker as user Carsten > 7. tried to write to memory -> failed as you expected > 8. add full permissions to process for user Carsten -> works !!!!!!! > 9. tried to write to memory -> works !!!!!!!! > > It's my process so it's possible for me to change the permissions !!!!! > I think it didn't get better if a service creates a process for me. > > greetings > Carsten I truly believe that these kind of solutions tend to be very complicated. Not sure why Heiko ignores the alternative I suggested. Alon. |