In the last post, we talked about mutex objects and how to enumerate them. Today we’ll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutex.cs.
Let’s see an example using WinDBG. First query the “BaseNamedObjects” directory that usually contains mutex objects:
lkd> !object BaseNamedObjects
Object: e18ce788 Type: (823ed418) Directory
ObjectHeader: e18ce770 (old version)
HandleCount: 71 PointerCount: 593
Directory Object: e1001150 Name: BaseNamedObjects
Hash Address Type Name
---- ------- ---- ----
00 e15a8880 SymbolicLink Local
81e996d0 Event userenv: Machine Group Policy has been applied
82286598 Mutant SHIMLIB_LOG_MUTEX
82308700 Mutant ZonesCacheCounterMutex
e1dfe298 Section CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-412668190-839522115-500
817e3ea0 Timer userenv: refresh timer for 1048:768
e1f12ed8 Section MSCTF.MarshalInterface.FileMap.MPJ.DI.HDGDJDJ
813f90d0 Event CorDBIPCLSEventReadName_5752
e25994a8 Section Cor_Private_IPCBlock_4760
e2319518 Section Cor_Private_IPCBlock_4448
e1fc1818 Section MSCTF.MarshalInterface.FileMap.ILD.FOB.FNOEBJE
8231e468 Event userenv: machine policy force refresh event
82196f50 Event jjCSCSessEvent_UM_KM_0
82111148 Event AgentToWkssvcEvent
Now query one of them:
lkd> !object BaseNamedObjectsSHIMLIB_LOG_MUTEX
Object: 82286598 Type: (823c55e0) Mutant
ObjectHeader: 82286580 (old version)
HandleCount: 8 PointerCount: 9
Directory Object: e18ce788 Name: SHIMLIB_LOG_MUTEX
And query the object header at 82286580:
lkd> dt nt!_OBJECT_HEADER 82286580 +0x000 PointerCount : 9 +0x004 HandleCount : 8 +0x004 NextToFree : 0x00000008 +0x008 Type : 0x823c55e0 _OBJECT_TYPE +0x00c NameInfoOffset : 0x10 '' +0x00d HandleInfoOffset : 0 '' +0x00e QuotaInfoOffset : 0 '' +0x00f Flags : 0x20 ' ' +0x010 ObjectCreateInfo : 0x8055a000 _OBJECT_CREATE_INFORMATION +0x010 QuotaBlockCharged : 0x8055a000 +0x014 SecurityDescriptor : 0xe1756a7e +0x018 Body : _QUAD
The security descriptor is at 0xe1756a7e so, convert it:
lkd> ?? 0xe1756a7e & ~0x7 unsigned int 0xe1756a78
And then we can check the information we wanted:
lkd> !sd 0xe1756a78 0
->Revision: 0x1
->Sbz1 : 0x0
->Control : 0x8004
SE_DACL_PRESENT
SE_SELF_RELATIVE
->Owner : S-1-5-32-544
->Group : S-1-5-18
->Dacl :
->Dacl : ->AclRevision: 0x2
->Dacl : ->Sbz1 : 0x0
->Dacl : ->AclSize : 0x44
->Dacl : ->AceCount : 0x2
->Dacl : ->Sbz2 : 0x0
->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[0]: ->AceFlags: 0x0
->Dacl : ->Ace[0]: ->AceSize: 0x14
->Dacl : ->Ace[0]: ->Mask : 0x001f0001
->Dacl : ->Ace[0]: ->SID: S-1-5-18
->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[1]: ->AceFlags: 0x0
->Dacl : ->Ace[1]: ->AceSize: 0x18
->Dacl : ->Ace[1]: ->Mask : 0x00120001
->Dacl : ->Ace[1]: ->SID: S-1-5-32-544
->Sacl : is NULL
So now that we now how to check an object ACL via WinDBG, let’s take advantage of .NET classes inside System.Security.AccessControl namespace to query objects ACL’s.
We can query a previously created mutex object via Mutex.OpenExisting method:
[SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)]
public static Mutex OpenExisting(
string name,
MutexRights rights
)
We’ll use MutexRights.ReadPermissions to be able to read ACL information and then call Mutex.GetAccessControl to read access control information.
Here is the EnumerateMutex example extended to print ACL information from mutexs inside object directories:
- Source Code
http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutexACL.cs - Binary
http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutexACL.exe
(Tested on Windows XP SP2 and Windows 7)
Example:
This method can be useful to identify weak ACL’s that can lead to a local Denial of Service. Example Winsock Mutex Vulnerability
