Jaime Blasco Blog : /General/exploring_windows_objects

General: Exploring Windows Objects ACL's
Tue, 29 Dec 2009

In the last post, we talked about mutex objects and how to enumerate them. Today we'll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example.

Let's see an example using WinDBG. First query the "\BaseNamedObjects" directory that usually contains mutex objects:

lkd> !object \BaseNamedObjects
Object: e18ce788  Type: (823ed418) Directory
    ObjectHeader: e18ce770 (old version)
    HandleCount: 71  PointerCount: 593
    Directory Object: e1001150  Name: BaseNamedObjects

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  e15a8880 SymbolicLink  Local
         81e996d0 Event         userenv: Machine Group Policy has been applied
         82286598 Mutant        SHIMLIB_LOG_MUTEX
         82308700 Mutant        ZonesCacheCounterMutex
         e1dfe298 Section       CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-412668190-839522115-500
         817e3ea0 Timer         userenv: refresh timer for 1048:768
         e1f12ed8 Section       MSCTF.MarshalInterface.FileMap.MPJ.DI.HDGDJDJ
         813f90d0 Event         CorDBIPCLSEventReadName_5752
         e25994a8 Section       Cor_Private_IPCBlock_4760
         e2319518 Section       Cor_Private_IPCBlock_4448
         e1fc1818 Section       MSCTF.MarshalInterface.FileMap.ILD.FOB.FNOEBJE
         8231e468 Event         userenv: machine policy force refresh event
         82196f50 Event         jjCSCSessEvent_UM_KM_0
         82111148 Event         AgentToWkssvcEvent

Now query one of them:

lkd> !object \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Object: 82286598  Type: (823c55e0) Mutant
    ObjectHeader: 82286580 (old version)
    HandleCount: 8  PointerCount: 9
    Directory Object: e18ce788  Name: SHIMLIB_LOG_MUTEX

And query the object header at 82286580:

lkd> dt nt!_OBJECT_HEADER  82286580
   +0x000 PointerCount     : 9
   +0x004 HandleCount      : 8
   +0x004 NextToFree       : 0x00000008 
   +0x008 Type             : 0x823c55e0 _OBJECT_TYPE
   +0x00c NameInfoOffset   : 0x10 ''
   +0x00d HandleInfoOffset : 0 ''
   +0x00e QuotaInfoOffset  : 0 ''
   +0x00f Flags            : 0x20 ' '
   +0x010 ObjectCreateInfo : 0x8055a000 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x8055a000 
   +0x014 SecurityDescriptor : 0xe1756a7e 
   +0x018 Body             : _QUAD

The security descriptor is at 0xe1756a7e so, convert it:


lkd> ?? 0xe1756a7e & ~0x7
unsigned int 0xe1756a78

And then we can check the information we wanted:


lkd> !sd 0xe1756a78 0
->Revision: 0x1
->Sbz1    : 0x0
->Control : 0x8004
            SE_DACL_PRESENT
            SE_SELF_RELATIVE
->Owner   : S-1-5-32-544
->Group   : S-1-5-18
->Dacl    : 
->Dacl    : ->AclRevision: 0x2
->Dacl    : ->Sbz1       : 0x0
->Dacl    : ->AclSize    : 0x44
->Dacl    : ->AceCount   : 0x2
->Dacl    : ->Sbz2       : 0x0
->Dacl    : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl    : ->Ace[0]: ->AceFlags: 0x0
->Dacl    : ->Ace[0]: ->AceSize: 0x14
->Dacl    : ->Ace[0]: ->Mask : 0x001f0001
->Dacl    : ->Ace[0]: ->SID: S-1-5-18

->Dacl    : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl    : ->Ace[1]: ->AceFlags: 0x0
->Dacl    : ->Ace[1]: ->AceSize: 0x18
->Dacl    : ->Ace[1]: ->Mask : 0x00120001
->Dacl    : ->Ace[1]: ->SID: S-1-5-32-544

->Sacl    :  is NULL

So now that we now how to check an object ACL via WinDBG, let's take advantage of .NET classes inside System.Security.AccessControl namespace to query objects ACL's.

We can query a previously created mutex object via Mutex.OpenExisting method:

[SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)]
public static Mutex OpenExisting(
    string name,
    MutexRights rights
)

We'll use MutexRights.ReadPermissions to be able to read ACL information and then call Mutex.GetAccessControl to read access control information.

Here is the EnumerateMutex example extended to print ACL information from mutexs inside object directories:

(Tested on Windows XP SP2 and Windows 7)

Example:

This method can be useful to identify weak ACL's that can lead to a local Denial of Service. Example Winsock Mutex Vulnerability

Regards

posted at: 17:32 | path: /General | permanent link to this entry | 1 comments |

* Posted by Panom Navanukroh at Tue Jan 5 09:08:33 2010

My name is Panom Navanukroh. I am working as Information security consultant. Currently, I am trying to implement a security operation center (SOC) for our client. Right now, I am in the process of evaluating SIEM products to see which one meets my client’s needs. I am looked up OSSIM information on your website, however, I still have some questions that I need to ask you about the product.
1. Can I buy AlienVault Professional SIEM in software version (not appliance)? If I can, please give me the pricing condition
2. Is it possible to customize the Dashboard? The client wants to put his company logo on the homepage and some change on Graph and report.
3. Is it possible to acquire log file using agent less method (e.g Windows WMI)
4. In order to acquire log and event from OS and devices, are there any other ways more than Windows WMI and Syslog?
5. Can I have a contact for direct technical support, in case I need to ask more technical questions?
Actually, I know that I should have directly contact to Sale person. But I have already email to them several time, and no response. The schedule of this project is very tight so I have use this way for communicate.