[Owasp-dotnet] Act as part of the operating system
Andrew van der Stock
vanderaj at greebo.net
Tue Oct 4 06:34:26 EDT 2005
"Act as part of the operating system" SeTcbPrivilege allows complete
and utter compromise of the kernel as it explicitly violates the
trusted computing base (TCB).
It allows you to:
a) read or write to any physical (=real untranslated) page or logical
page from any process
b) set hardware break points
c) install new kernel drivers
d) interact directly with hardware and the HAL
e) reboot the system in controlled and uncontrolled ways
f) hook any existing sys call
h) ... your imagination goes here ...
The usual reason for wanting this privilege is a complete lack of
understanding why a process would actually need it. I remove it from
anything which requests it, and for the most part they seem to work
Typically, the programs I have come across which want it, implement
Unix-like setuid() handling or least common denominator password
synchronization, as it allows you to replace your token with another
token. Previous to Windows XP / 2003, you used to need this
privilege, but no more, and this is the problem - software is dumb
and they want to run on 2000 and 2003. 2003 does not require you to
hold this privilege to impersonate other users, so basically older
Unix-like software is usually at fault.
There are better ways of addressing this:
Service A - LOCALSERVICE takes calls from untrusted sources, such as
Service B - LOCALSYSTEM (or whatever you need) handles just the
Service A calls Service B, and B ignores users. That way, users
cannot call highly privileged software.
On 04/10/2005, at 8:42 AM, Dinis Cruz wrote:
> Does anybody here really knows what are the security implications
> of the
> "Act as part of the operating system" privilege?
More information about the Owasp-dotnet