...
An application may spawn another process as part of its normal course of action. On Windows, the newly-spawned process automatically receives the same privileges as the parent process [MSDN]. By allowing the child process to run in the same security context as the parent process, the attack surface for the application is extended to the child process. Furthermore, this example allows the child process to inherit handles from the parent process by passing TRUE to the bInheritsHandles parameter.
...
It is possible that the act of calling launch_notepad() will give the user an elevated Notepad application (from which the user could execute Explorer.exe), allowing them the user access to all user's files, change system settings, etcand so on.
Compliant Solution
By using the Windows Integrity Mechanism [MSDN] when creating the process, you can assign an integrity level to the launched child process. This Doing so allows you to execute the child process with a specific set of privileges instead of defaulting to the parent process's security level.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
#include <sddl.h>
static void launch_notepad_as_user(HANDLE token) {
PROCESS_INFORMATION pi;
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof( si );
if (CreateProcessAsUser(token, TEXT("C:\\Windows\\Notepad.exe"), NULL, NULL,
NULL, FALSE, 0, NULL, NULL, &si, &pi )) {
/* Process has been created; work with the process and wait for it to
terminate. */
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
static BOOL adjust_token_integrity_level(HANDLE token, const char *sid) {
/* Convert the string SID to a SID *, then adjust the token's
privileges. */
BOOL ret;
PSID psd = NULL;
if (ConvertStringSidToSidA(sid, &psd)) {
TOKEN_MANDATORY_LABEL tml;
ZeroMemory(&tml, sizeof(tml));
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = psd;
ret = SetTokenInformation(token, TokenIntegrityLevel, &tml,
sizeof(tml) + GetLengthSid(psd));
LocalFree(psd);
}
return ret;
}
void launch_notepad(void) {
/* Low level; see table for integrity level string names */
const char *requested_sid = "S-1-16-4096";
HANDLE token_cur, token_dup;
/* Get the current process' security token as a starting point, then modify
a duplicate so that it runs with a fixed integrity level. */
if (OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE |
TOKEN_ADJUST_DEFAULT |
TOKEN_QUERY |
TOKEN_ASSIGN_PRIMARY,
&token_cur)) {
if (DuplicateTokenEx(token_cur, 0, NULL, SecurityImpersonation,
TokenPrimary, &token_dup)) {
if (adjust_token_integrity_level(token_dup, requested_sid))
launch_notepad_as_user(token_dup);
CloseHandle(token_dup);
}
CloseHandle(token_cur);
}
}
|
The compliant example solution demonstrates how to launch Notepadnotepad.exe using a low integrity level, regardless of what privilege level the parent process is running from. It also disallows handle inheritance by passing FALSE to the bInheritsHandles parameter, because notepad.exe does not require access to any of the process's handles.
Possible values for the integrity level SID strings are listed in the following table:
| Integrity level SID | Name |
|---|---|
S-1-16-4096 | Mandatory Label\Low Mandatory Level |
S-1-16-8192 | Mandatory Label\Medium Mandatory Level |
S-1-16-12288 | Mandatory Label\High Mandatory Level |
S-1-16-16384 | Mandatory Label\System Mandatory Level |
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
WIN02-C | highHigh | likelyLikely | highHigh | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| BADFUNC.CREATEPROCESS | Use of CreateProcess |
Related Guidelines
...