Re: A service and WTS

From: Maxim S. Shatskih (maxim_at_storagecraft.com)
Date: 02/20/04 

Date: Fri, 20 Feb 2004 21:17:59 +0300

    I would suggest you to read a great book on such (and other) cases. The
book written by Microsoft's David LeBlank and Michael Howard and is called
"Writing Secure Code".
    ISBN 0-7356-1722-8

>I need some user mode information in my driver before any user logs on, so
>that'll be a service.

Sorry. The
- "I need some user mode information"
is one thing. But:
- "I need some information from the user input"
is another thing.

What of these two do you need? If second - then sorry, your driver will be
either defunct will the user will log on, or will run in some default mode.
After the user will log on, it will run some UI app, which will call the
necessary IOCTLs in your driver.

If first - then why having UI in the service?

> What's so wrong to impersonate a logged-on user and interact with the user
> from a service directly?

A potential security hole. First of all, the window manager is unprotected at
all. Some malicious app will just do a couple of SendMessage to your edit
control, causing buffer overrun in your code - which is the privileged code.
This technique is well-described.

> How an interaction thru a proxy application started by HKLM\..\Run is any
> better?

More protected. All points where the security boundary is crossed (from the app
to the service) are listed and documented (in COM's .IDL file usually).

> Is starting an application by CreateProcessAsUser from a service a bad thing
> as well?

CreateProcessAsUser requires explicit password specification. Where do you want
to keep the password?

In "c:\admin_password.txt" file? Then yes, CreateProcessAsUser is bad :-)
In DPAPI or LSA secret? Then CreateProcessAsUser is OK.

> Should CreateProcess from a service be banned?

No for sure.

> I am not sure here, do you mean a driver talks to a service via inverted
> call path?
> (requesting an info from a service by completing a previously pended IRP,
> and obtaining this information from the next IRP to pend?)

Yes. Exactly so. 

-- 
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Relevant Pages

  • Re: A service and WTS
    ... After the user will log on, it will run some UI app, which will call the ... CreateProcessAsUser requires explicit password specification. ... > (requesting an info from a service by completing a previously pended IRP, ...
    (microsoft.public.development.device.drivers)
  • Re: A service and WTS
    ... >CreateProcessAsUser requires explicit password specification. ... your driver will be ... > After the user will log on, it will run some UI app, which will call the ... > CreateProcessAsUser requires explicit password specification. ...
    (microsoft.public.development.device.drivers)
  • Re: A service and WTS
    ... >CreateProcessAsUser requires explicit password specification. ... your driver will be ... > After the user will log on, it will run some UI app, which will call the ... > CreateProcessAsUser requires explicit password specification. ...
    (microsoft.public.win32.programmer.kernel)
  • CreateProcessAsUser, error code 6
    ... application is bascially a runas app with a few bells and whistles. ... The CreateProcessAsUser() call succeeds. ... I now have a cmd.exe window open as my user. ... Same user I'm using in the app run by the service. ...
    (microsoft.public.platformsdk.security)
  • CreateProcessAsUser, error code 6
    ... application is bascially a runas app with a few bells and whistles. ... The CreateProcessAsUser() call succeeds. ... I now have a cmd.exe window open as my user. ... Same user I'm using in the app run by the service. ...
    (microsoft.public.access.security)
Loading