Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Question for the Windows pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 18 Jan 2006 13:55:29 -0600

--On Wednesday, January 18, 2006 13:25:55 -0600 Yvan Boily <yboily () gmail com> wrote:

The explanations on MS's site are vague enough that they're meaningless.
What services running on Windows allow clients to access them?  And if
they do, do they restrict access to the Local Machine?  Or do they allow
Remote Access?  (For example, RPC is clearly remote.  Is the Windows
Time service?)

Actually, the explanations are not vague or meaningless.  It just
helps to have an understanding of what this privilege governs.  Lets
start with the fact that in essence it only applies to Server
operating systems, and only to Windows 2000 SP4, or Windows 2003.

This is incorrect. The privilege exists *and* functions on the Workstation operating systems Win2000 SP4 *and* WinXP. I have verified this through testing.

http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/secauthz/security/authorization_constants.asp

I've already been there and read the page - several times. I understand *in general* what an impersonation privilege is. I need to know *specifically* what "server's clients" can be impersonated when this privilege is applied to an account. So far, I've found nothing on the web that even attempts to address that issue.

Mike Howard also demonstrates the technique here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/h
tml/secure03132003.asp

That's somewhat helpful, in a general way, but still doesn't answer my question.

RPC is not clearly remote.  It is merely a mechanism which is capable
of delivering remote calls.

Which is what I meant by clearly remote. IOW, it's capable of accessing resources remotely.

According to MSDN this is a list of API that require
SeImpersonatePrivelege:

RpcImpersonateClient
ImpersonateAnonymousToken
ImpersonateClient
ImpersonateLoggedOnUser
ImpersonateSecurityContext
RpcGetAuthorizationContextForClient

Reading the API, and the MSDN Documentation on IMpersonation and
Delegation should illuminate this issue.

Unfortunately, it has not. Again, I understand *in general* what impersonation is, how it works and what it can mean in terms of security.

I am looking *specifically* for what a user who has the privilege Impersonate a client after authentication has the right to do. Does it mean that *anything* that user runs runs under his/her privileges? Does it mean only *local* processes are affected? Does it mean a hacker can access the machine remotely and run under the user's privileges?

IOW, if I have a domain account name "Joe", and I grant "Joe" this privilege, what is placed at risk? The local machine he's logged in to? The entire domain? Only certain services? Saying it's a high risk (like ISS does) and then not defining *precisely* what the risks are is not helpful.

And all I was really asking for is pointers to any white papers or conference presentations that even attempt to illuminate this issue.

It's looking like there are none.

The short story is though, that any case where any process or thread
will execute, either locally or remotely, under another users security
context, impersonation is required.

Can you name one? For example, is the RPC Locater Service affected by this privilege?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault