Original: http://www.blogcn.com/User8/flier_lu/index.html? Id = 3024613
Last week, HBifts encountered a problem that could not open the kernel objects created by the desktop program in ASP.NET in ASP.NET.
Memory map file and user permissions
He is the way to modify the ASP.NET configuration file, let the ASP.NET play the system administrator account to access the object. I reposted on the water and said that this is a very bad programming habit, because this will be the ASP.NET page running in the uncontrolled security context. Once there is a malicious code attack this page, it will have system administrator privileges, which is very dangerous. The reason why IIS 5/6 is proposed, which is officially reduced to reduce the problem under the previous IIS 4/5 default model, minimizing the loss after the page is attacked.
After accepting the improvement opinion, HBIFTS used another hazard smaller, but also recommended by establishing a NULL DACL method.
Create an eveningone security_attribute
This way can be said that it is very close to the correct solution, huh, huh, although there is a certain safety hazard, but there is a fine breakthrough than the previous one.
I once agreed to write an article to introduce a solution. Unfortunately because of work and other reasons have been very busy, drag to the current process: P, from HBifts, and many friends's reply, to DACL and related Volume control is very unfamiliar. The following is briefly introduced the basic knowledge and some basic concepts, so that everyone can know what it is: P
In the beginning of the day, NT Loader loaded into the kernel and the system began to launch various system processes. Each process is mostly dominated by the system at this time, talking about the same language, and there is no separation between each other. It is bad to be in Winlogon's process is not honest, and it is necessary to provide the landing interface to log out to the system, which derived the process of Extplorer, CSTRIKE and other seven seven eight eight, saying different languages, and resources such as document networks. Visit. The NT system is like the 9X generation is so good: "If you want to mix on my site, you will have a first name, you can do anything, you can't do anything, you have to say something, threatening things have to be reported. First ". So the user must provide credentials when the user is logged in, as for the default password or the authentication token, fingerprint, and the iris of the Iris is calculated by Winlogon's little brother Gina. However, if each access object is re-authenticated, the password is pressed by pressing the password. It is too much trouble. So since landing to the logout period, starting each account to send a temporary master certificate, this is the origin of the session. In order to manage, the NT system has also established a corresponding session on the process, service process, etc. of the computer itself, each with each account. Usually, you look like only one person logs in to the system with an account, but actually there is a bunch of steps in the background in the background. A typical system runtime session situation is as follows, the development of this tool and the detailed explanation of the field I will subsequently describe an article separately. KESESSSION - 1.0.0.0 - Show Kernel Sessions @ Jul 12 2004 (C) 1999-2004 NSFOCUS CORPORATION. All Rights Reserved
Logon session 00000000: 000003E7 [999] User name: Sky / Flier $ auth package: ntlm logon type: (none) session: 0 Sid: s -1-5-18 Account name: NT Authority / System Logon Time: 2004-7 -14 11:12:20 Logon Server: DNS Domain: UPN: Process File Name 388: SMSS.exe 460: Winlogon.exe 504: Services.exe 516: Lsass.exe 736: Svchost.exe ... 3624: inetinfo. EXE
Logon session 00000000: 0000cda3 [52643] User name: NThority / Anonymous Logon Auth Package: NTLM logon type: NetWork session: 0 SID: S-1-5-7 Account Name: Nt Authority / Anonymous Logon Time: 2004-7 -14 11:12:32 Logon Server: DNS Domain: UPN:
Logon session 00000000: 0000cfc1 [53185] User name: FLIER / Administrator Auth package: NTLM Logon type: Interactive Session: 0 SID: S-1-5-21-3978760259-2706837669-145014315-500 Account Name: FLIER / Administrator Logon time : 2004-7-14 11:12:32 Logon Server: Flier DNS Domain: UPN:
Process File Name 1628: Explorer.exe ... 1612: KESESSION.EXE
Logon session 00000000: 0000A56A [42346] User name: Auth package: NTLM logon Type: (None) session: 0 Sid: Account Name: Logon Time: 2004-7-14 11:12:20 Logon Server: DNS Domain: UPN: DNS Domain: UPN: You can see the first landing session 999 is the user name SKY / FLIER $ with an account NTHORITY / SYSTEM to the system, that is, my computer account. In the previous NT system, there is no computer. This entity concept, 2000 start the computer itself can be used as an independent entity, especially in the AD. The account of the computer itself is our familiar SYSTEM account. Most of the system processes SMSS, WinLogon, etc. are also executed again. The other is the account Flier / Administrator login, and its login type interactive indicates that it is logged in through the mouse button. There are also some other sessions, such as NThority / Anonymous Logon, which login, is used for anonymous login acquisition information. Previous NT4 does not support computer entities to log in, other machine information can only be obtained by anonymous connection. Another thing that is worth noting is that each session has a SID to indicate the user account, there is a fixed S-1-5-18, S-1-5-7 this kind of Well-KNown SID, and S-1-5 -21-3978760259-2706837669-145014315-500 This kind of machine-related SID is not explained in detail, otherwise the length, huh, huh, huh, huh, huh, every account will be able to access the authority related information, which is also accessible. What can't access what is accessible. But it seems still not enough, as if the ASP.NET process sometimes needs to play other accounts to access special resources, or a process is adjusted to adjust your permissions within the allowable range. If the account authority is saved at the session level, a process will change the permissions, and the other will be remembered (the competition). To mediate disputes, we will only have three major big boards, each process sends a copy of the good license (token), and take the tool to change it, huh. The thread level in the process also has similar problems, just by default, it will be applied to apply when needed.
This good administrative (Token) is much safe. It registers the current user's username and group. This account is privileged, and we need attention here: the default object authority. Jeffrey Richter and Jason Clark provide a very powerful tool, token Master, the TOKEN MASTER, which provides the current system, and a thread's good license. Below is a typical default object permission setting that allows processes under the system administrator account: ************************************ *********************************************************** * Token default dacl *************************************************************** ********************************** ACCESS ALLOWED BUILTIN / AdministratorsACCESS_MASK: 00010000000000000000000000000000 GENERIC_ALLACCESS ALLOWED NT AUTHORITY / SYSTEMACCESS_MASK: 00010000000000000000000000000000 GENERIC_ALL That is, in a system administrator account, when a new kernel object is established, if the LPSecurity_Attributes LPAttributes parameter is null, this object default is only this account you or the administrator group and the System account has full access. . If a program view running under other accounts opens and access this object, it will be rejected. That's why hbifts cannot open the file mapping object created by the desktop program in the ASP.NET, because his desktop program is running under the system administrator account, and the built-in object is only available in the system administrator group and the system account. . ASP.NET is safe, and is the ASP.NET page in the ASPNET account. It is not a member of the system administrator group, and this object cannot be accessed.
The first way of playing in HBifts is actually a solution. By setting the ASP.NET script, let ASP.NET run under the system administrator account so that this page runs the thread of the thread to be temporarily exchanged to the system administrator, and there is permission to handle it. But because it is set by configuration file, the granularity plays is too large, and the life of the entire page will play an administrator account, which is very unsafe. Even if you want to use this method, you should also pass the fine-grained control of the WindowsIdentity.impersonate method. When you need to access the object, dynamically play the system administrator role, and restore the operation after completing the operation. However, it is not safe, huh, huh, or there is a security hidden danger.
The formal idea is to specify its access permissions when you create an object. But HBifts's second solution has too much, which has established a security descriptor of NULL DACL, which is to allow anyone to make any access objects. In particular, the file maps such an object that is used to interact data. The degree of permissions are opened, and they have a huge empty space to the malicious code, they can open this object, fill some spam or attack data inside, Use this object to communicate two-party procedures. I used to successfully get some kind of personal firewall in a similar way, through operation of the internal mutex, deceive the engine and the interface, let you fire the firewall is still working, but it is actually stopped, huh, huh, huh: P To be alleviated This problem requires special permissions to specify special permissions when establishing an object. You can use the configuration file to provide a system ASP.NET account name, and then add access to this account to this account. JIANGSHENG in its "Permissions Issues Permission Issues" across process access is to solve the problem by enforcing the specified everyone (Security_World_SID_AUTHHORITY). Although this kind of permission management is relatively placed, it is better than the NULL DACL in the forebel, NULL DACL is the true connectionless object that can be accessed outside Everyone: P
The preferred way is fine-grained to control the access to the target process, and is probably divided into the following steps:
1. Get the token of the current thread or process 2. Get the SID 3. of the token user to get the SID 4. of the ASP.NET run account, set the security descriptor DACL 5. Create an object using the security descriptor
The instance code is as follows (it is easy to demonstrate, the debugging and error handling code is ignored, only the most basic check is retained):
The first step is to try to get a threaded token first, because the above mentioned that the token can be set to the thread level, and the thread itself may also play other accounts. If the thread does not have a stand-alone token, try obtaining a process token. As for the permissions of the token handle, it is possible to query enough to prepare for the back further to obtain the token information.
HANDLE hToken; (! OpenThreadToken (GetCurrentThread (), TOKEN_QUERY, TRUE, & hToken)) if {if (! OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY, & hToken)) {std :: cerr << "Failed to get process token" << STD :: end1;}} The second step is required to obtain the SID of the token user. GetTokenInformation is able to query a variety of associated information from the token, such as the user SID we need here. Typedef struct _token_user {sID_and_attributes user;} token_use;
Typedef struct _sid_and_attributes {psid sid; dword attributes;} sid_and_attributes, * psid_and_attribute;
DWORD dwUserSize = 0; GetTokenInformation (hToken, TokenUser, NULL, 0, & dwUserSize); std :: string user (dwUserSize, '/ 0'); BOOL ret = GetTokenInformation (hToken, TokenUser, (void *) user.c_str () User.Size (), & dwusersize; closehandle (htokeen); psid siduser = ((ptoken_user) -> user.sID; Step 3, run the account according to the ASP.NET Run your SID. Here is simple, use hard-coded account name ASPNET, which can be used to obtain flexibility through configuration files or directly read system settings and configuration files. Const char * ASPNET_ACCOUNT = "ASPNET";
DWORD dwsidsize = 0, dwdomainsize = 0; sID_NAME_USE USE;
Lookupaccountname (NULL, ASPNET_ACCOUNT, NULL, & DWSIDSIZE, NULL, & DWDOMAINSIZE, & USA);
Std :: string sid (dwsidsize-1, '/ 0'), Domain (dwdomainsize-1, '/ 0');
Ret = lookupaccountname (null, aspnet_account, (psid) sid.c_str (), & dwsidsize, (char *) Domain.c_str (), & dwdomainsize, & us);
PSID Sidaspnet = (PSID) Sid.c_STR (); Step 4, in accordance with the two SIDs to initialize a security descriptor. INITIALIZEACL initializes an ACL (any access control list) and then adds the allowed ACE (Access Control) with addAccessallowedAce. Both the default user and the ASP.NET user assign generic_all access, which can be further refined according to the requirements. Finally, use this ACL to construct a security descriptor and set its DACL (Free Access Control List). DWORD DWACLSIZE = SIZEOF (ACL) SIZEOF (Access_allowed_ace) * 2 GetLength GetLengthTHSID (Sidaspnet);
Std :: string ACL (dwaclsize, '/ 0');
InitializeAcl ((PACL) acl.c_str (), acl.size (), ACL_REVISION); AddAccessAllowedAce ((PACL) acl.c_str (), ACL_REVISION, GENERIC_ALL, sidUser); AddAccessAllowedAce ((PACL) acl.c_str (), ACL_REVISION , Generic_all, Sidaspnet;
SECURITY_DESCRIPTOR sd; InitializeSecurityDescriptor (& sd, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl (& sd, TRUE, (PACL) acl.c_str (), TRUE); GetTokenInformation furthermore also conceivable to use direct access token with TokenDefaultDacl options default DACL, direct reuse SetEntriesInAcl To modify it, generate a new security descriptor. However, this is more troublesome, and the MSDN provides a complete code example. Interested friends can take a look. Step 5 Use this security descriptor to create a kernel object. You can use the Process Explorer tool provided by Sysinternal to view the permissions of objects created in this example, you can see if we want, current users and ASPNET users are added to Generic_all permissions. Security_attributes sa = {sizeof (sa), & sd, false}; handle hmutex = Createmutex (& Sa, False, "Testmutex");
CHAR CH; std :: cin >> CH;
CloseHandle (hmutex);
The roughly used ideas, many of them can be discussed in depth, but because of the limited time energy, it is temporarily and skewers, and interesting friends can further explore.