Re: CreateProcessAsUser "loses" privileges, why?

Hi Pavel,

Pavel Lebedinsky wrote:
>
> What OS is this?

I tested on XP SP2, W2K SP4 and NT4 SP6. All these OS versions exhibit
the same behaviour. It seems like the process started via CPAU has only
those privileges that are enabled by default
(SE_PRIVILEGE_ENABLED_BY_DEFAULT) in the client token. All other
privileges are non-existent in the token of this process. I also tried
(on XP only) to enable the SE_DEBUG_NAME privilege in the client token
before connecting to the named pipe, but this didn't change anything.


> [..]] Do you also see missing privileges if you start a
> process with runas?

No, runas works lika charm.

My current solution to the problem is to pass as part of the named pipe
conversation the PID of the client process to the server. At the server
end, I then open the process handle and the access token of the client
process and also impersonate it. I then compare the access token I
opened and the impersonation token (see if their user and group SID are
the same) and if both match, start the process with CPAU, but not with
the (duplicated primary) token from impersonation as before, but instead
with the access token that I got from opening the process token via PID.

Comparing the token and doing the impersonation anyway seems overkill,
but this way I can prevent some malicious user from spoofing the server
by sending an arbitrary PID of a highly privileged process across the
named pipe which it would then blindly open and create a process in that
context.

Am I doing sth wrong or is there really no solution that is a bit more
elegant? Can anyone confirm that the token of a process created by CPAU
is always missing the privileges if it is created from a duplicated
impersonation token?

TIA,

--
Stefan
.

Relevant Pages

  • Re: CreateProcessAsUser "loses" privileges, why?
    ... impersonation that happens via SSPI does not strip privilegs (since it ... while impersonation that happens by the kernel trusting itself, ... (since it does not require authentication). ... The rationale being that across a network authentication hop privileges may ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Administrator elevation via RPC fails on Vista, why?
    ... any privileges that are in the token but not enabled get stripped away ... across impersonation boundaries, so - you might try turning on all ... These two label SIDs can ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Logging, Login API and SSPI
    ... the log files would be created/written under his credentials. ... but the problem is that login API and SSPI can require ... work properly (The impersonation level does not allow resource access). ... SSPI doesn't require elevated privileges. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... You can google for "non enabled privileges are stripped" in the `groups` ... > conversation the PID of the client process to the server. ... > the token from impersonation as before, ... > with the access token that I got from opening the process token via PID. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CGI apps break after DCPROMO an IIS6 server
    ... This is one of those things different on a DC vs a member server in regards ... The "built in" accounts have the minimum and necessary privileges to run ... >privileges listed in F1-help of IIS Manager UI required ...
    (microsoft.public.inetserver.iis.security)