[Owasp-dotnet] Act as part of the operating system

[Andrew van der Stock]

"Act as part of the operating system" SeTcbPrivilege allows complete  
and utter compromise of the kernel as it explicitly violates the  
trusted computing base (TCB).

It allows you to:

a) read or write to any physical (=real untranslated) page or logical  
page from any process
b) set hardware break points
c) install new kernel drivers
d) interact directly with hardware and the HAL
e) reboot the system in controlled and uncontrolled ways
f) hook any existing sys call
g) DLL_PROCESS_ATTACH...
h) ... your imagination goes here ...

The usual reason for wanting this privilege is a complete lack of  
understanding why a process would actually need it. I remove it from  
anything which requests it, and for the most part they seem to work  
afterwards.

Typically, the programs I have come across which want it, implement  
Unix-like setuid() handling or least common denominator  password  
synchronization, as it allows you to replace your token with another  
token. Previous to Windows XP / 2003, you used to need this  
privilege, but no more, and this is the problem - software is dumb  
and they want to run on 2000 and 2003. 2003 does not require you to  
hold this privilege to impersonate other users, so basically older  
Unix-like software is usually at fault.

There are better ways of addressing this:

Service A - LOCALSERVICE takes calls from untrusted sources, such as  
users
Service B - LOCALSYSTEM (or whatever you need) handles just the  
privileged activities

Service A calls Service B, and B ignores users. That way, users  
cannot call highly privileged software.

thanks,
Andrew

On 04/10/2005, at 8:42 AM, Dinis Cruz wrote:

> Does anybody here really knows what are the security implications  
> of the
> "Act as part of the operating system" privilege?