|
[推荐]关于Windows的权限和一些安全问题
二.一些安全问题
1.利用备份权限绕过访问控制
系统备份员(Backup Operators)和管理员(Administrator)具有一项权限:SeBackupPrivilege
利用该权限可以访问正常情况下被拒绝访问的文件。当在ACL中设置拒绝某帐号读取文件时,一个备份程序可以在调用Createprocess时,通过设置FILE_FLAG_BACKUP_SEMANTICS的标志来对文件进行读取。
按照《writng secure code》一书给出的代码如下
1. 假设你具有SeBackupPrivilege权限。
2. 创建一个txt文件,内容为:writings this for cj
3. 添加一个全部拒绝该用户访问的ACE。
现在,试着打开该文件,将会出现拒绝访问的提示。现在,编译下面这段代码(来自《writng secure code》)
/*
WOWAccess.cpp
*/
#include <stdio.h>
#include <windows.h>
int EnablePriv (char *szPriv) {
HANDLE hToken = 0;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
printf("OpenProcessToken() failed -> %d", GetLastError());
return -1;
}
TOKEN_PRIVILEGES newPrivs;
if (!LookupPrivilegeValue (NULL, szPriv,
&newPrivs.Privileges[0].Luid)) {
printf("LookupPrivilegeValue() failed -> %d", GetLastError());
CloseHandle (hToken);
return -1;
}
newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
newPrivs.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &newPrivs, 0, NULL, NULL)) {
printf("AdjustTokenPrivileges() failed -> %d", GetLastError());
CloseHandle (hToken);
return -1;
}
CloseHandle (hToken);
return 0;
}
void DoIt(char *szFileName, DWORD dwFlags) {
printf("\n\nAttempting to read %s, with 0x%x flags\n",
szFileName, dwFlags);
HANDLE hFile = CreateFile(szFileName,
GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING,
dwFlags,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile() failed -> %d", GetLastError());
return;
}
char buff[128];
DWORD cbRead=0, cbBuff = sizeof buff;
ZeroMemory(buff, sizeof buff);
if (ReadFile(hFile, buff, cbBuff, &cbRead, NULL)) {
printf("Success, read %d bytes\n\nText is: %s",
cbRead, buff);
} else {
printf("ReadFile() failed -> %d", GetLastError());
}
CloseHandle(hFile);
}
void main(int argc, char* argv[]) {
if (argc < 2) {
printf("Usage: %s <filename>", argv[0]);
return;
}
// Need to enable backup priv first.
if (EnablePriv(SE_BACKUP_NAME) == -1)
return;
// Try with no backup flag - should get access denied.
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL);
// Try with backup flag - should work!
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL │ FILE_FLAG_BACKUP_SEMANTICS);
}
运行情况如下
C:\>bkp
Usage: bkp <filename>
C:\>bkp test.txt
Attempting to read test.txt, with 0x80 flags
CreateFile() failed -> 5
Attempting to read test.txt, with 0x2000080 flags
Success, read 20 bytes
Text is: writings this for cj
C:\>
如上,使用了备份的标志后(with 0x2000080 flags)就可以访问开始拒绝访问的文件了。
2.利用SeTakeOwnershipPrivilege权限绕过访问控制
在我的计算机上,tt是一个普通的user帐号,当给他添加上SeTakeOwnershipPrivilege后,就可以绕过原来的访问控制,比如,对 system32目录下就可以添加完全控制的ACE,从而可以任意复制文件。对Document and Settings目录下也可以如法炮制,那么,给管理员下个套就是很简单的事情了。下面是实现过程
首先看下tt所具有的权限
C:\>whoami /all
[User] = "DARKDEAMON\tt" S-1-5-21-1409082233-1957994488-472307971-1013
[Group 1] = "DARKDEAMON\None" S-1-5-21-1409082233-1957994488-472307971-513
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "BUILTIN\Users" S-1-5-32-545
[Group 4] = "NT AUTHORITY\INTERACTIVE" S-1-5-4
[Group 5] = "NT AUTHORITY\Authenticated Users" S-1-5-11
[Group 6] = "LOCAL" S-1-2-0
(O) SeCreatePagefilePrivilege =
(O) SeAssignPrimaryTokenPrivilege =
(O) SeCreateTokenPrivilege =
(O) SeAuditPrivilege =
(X) SeUndockPrivilege =
(O) SeTakeOwnershipPrivilege =
(X) SeChangeNotifyPrivilege =
C:\>
可以看到已经添加了SeTakeOwnershipPrivilege权限,下面,将演示如何取得对system32目录的完全控制
| 阻止Alert攻击代码 | 12-14 |
| Arp反欺骗策略 | 11-29 |
| 如何杜绝iframe挂马 | 11-29 |
| ARP欺骗解决终极办法(传说中的虚 | 11-06 |
| 打造抵御SQL注入攻击的MS SQL服务 | 10-23 |
| ASP木马Webshell安全解决方案 | 09-22 |
| ASP登陆验证页应做的安全问题 | 08-25 |
| 防黑主要是日常维护的5个步骤总结 | 08-25 |
| Windows Server2003安全配置整理 | 08-20 |
| 安全虚拟主机配置 | 07-18 |
| ASP木马Webshell的安全防范解决办 | 06-19 |
| CC DDOS攻击器的原理及防范方法 | 06-13 |
您现在的位置: