Exploring Windows Objects ACL's

December 29, 2009 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

In the last post, we talked about mutex objects and how to enumerate them. Today we’ll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutex.cs.

Let’s see an example using WinDBG. First query the “\BaseNamedObjects” directory that usually contains mutex objects:

lkd> !object \BaseNamedObjects

Object: e18ce788  Type: (823ed418) Directory

    ObjectHeader: e18ce770 (old version)

    HandleCount: 71  PointerCount: 593

    Directory Object: e1001150  Name: BaseNamedObjects



    Hash Address  Type          Name

    ---- -------  ----          ----

     00  e15a8880 SymbolicLink  Local

         81e996d0 Event         userenv: Machine Group Policy has been applied

         82286598 Mutant        SHIMLIB_LOG_MUTEX

         82308700 Mutant        ZonesCacheCounterMutex

         e1dfe298 Section       CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-412668190-839522115-500

         817e3ea0 Timer         userenv: refresh timer for 1048:768

         e1f12ed8 Section       MSCTF.MarshalInterface.FileMap.MPJ.DI.HDGDJDJ

         813f90d0 Event         CorDBIPCLSEventReadName_5752

         e25994a8 Section       Cor_Private_IPCBlock_4760

         e2319518 Section       Cor_Private_IPCBlock_4448

         e1fc1818 Section       MSCTF.MarshalInterface.FileMap.ILD.FOB.FNOEBJE

         8231e468 Event         userenv: machine policy force refresh event

         82196f50 Event         jjCSCSessEvent_UM_KM_0

         82111148 Event         AgentToWkssvcEvent

Now query one of them:

lkd> !object \BaseNamedObjects\SHIMLIB_LOG_MUTEX

Object: 82286598  Type: (823c55e0) Mutant

    ObjectHeader: 82286580 (old version)

    HandleCount: 8  PointerCount: 9

    Directory Object: e18ce788  Name: SHIMLIB_LOG_MUTEX

And query the object header at 82286580:

lkd> dt nt!_OBJECT_HEADER  82286580

   +0x000 PointerCount     : 9

   +0x004 HandleCount      : 8

   +0x004 NextToFree       : 0x00000008

   +0x008 Type             : 0x823c55e0 _OBJECT_TYPE

   +0x00c NameInfoOffset   : 0x10 ''

   +0x00d HandleInfoOffset : 0 ''

   +0x00e QuotaInfoOffset  : 0 ''

   +0x00f Flags            : 0x20 ' '

   +0x010 ObjectCreateInfo : 0x8055a000 _OBJECT_CREATE_INFORMATION

   +0x010 QuotaBlockCharged : 0x8055a000

   +0x014 SecurityDescriptor : 0xe1756a7e

   +0x018 Body             : _QUAD

The security descriptor is at 0xe1756a7e so, convert it:

lkd> ?? 0xe1756a7e & ~0x7

unsigned int 0xe1756a78

And then we can check the information we wanted:

lkd> !sd 0xe1756a78 0

->Revision: 0x1

->Sbz1    : 0x0

->Control : 0x8004

            SE_DACL_PRESENT

            SE_SELF_RELATIVE

->Owner   : S-1-5-32-544

->Group   : S-1-5-18

->Dacl    :

->Dacl    : ->AclRevision: 0x2

->Dacl    : ->Sbz1       : 0x0

->Dacl    : ->AclSize    : 0x44

->Dacl    : ->AceCount   : 0x2

->Dacl    : ->Sbz2       : 0x0

->Dacl    : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE

->Dacl    : ->Ace[0]: ->AceFlags: 0x0

->Dacl    : ->Ace[0]: ->AceSize: 0x14

->Dacl    : ->Ace[0]: ->Mask : 0x001f0001

->Dacl    : ->Ace[0]: ->SID: S-1-5-18



->Dacl    : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE

->Dacl    : ->Ace[1]: ->AceFlags: 0x0

->Dacl    : ->Ace[1]: ->AceSize: 0x18

->Dacl    : ->Ace[1]: ->Mask : 0x00120001

->Dacl    : ->Ace[1]: ->SID: S-1-5-32-544



->Sacl    :  is NULL

So now that we now how to check an object ACL via WinDBG, let’s take advantage of .NET classes inside System.Security.AccessControl namespace to query objects ACL’s.

We can query a previously created mutex object via Mutex.OpenExisting method:

[SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)]

public static Mutex OpenExisting(

    string name,

    MutexRights rights

)

We’ll use MutexRights.ReadPermissions to be able to read ACL information and then call Mutex.GetAccessControl to read access control information.

Here is the EnumerateMutex example extended to print ACL information from mutexs inside object directories:

  • Source Code http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutexACL.cs
  • Binary http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutexACL.exe

(Tested on Windows XP SP2 and Windows 7)

Example:

This method can be useful to identify weak ACL’s that can lead to a local Denial of Service. Example Winsock Mutex Vulnerability

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL