浅谈NT的ACL，令牌，权限与安全性问题

浅谈NT的ACL，令牌，权限与安全性问题（精选1篇）

篇1：浅谈NT的ACL，令牌，权限与安全性问题

-----另一种克隆帐号的途径

作者：刺(aXis)

来源：www.3389.net

摘要：关于nt的acl,token,and privilege的，以及通过privilege绕过acl,达到访问文件的目的，可以说是另一种克隆administrator的方法，不过更隐蔽，利用起来难度较大，需要绕过检测才行，目前取的的突破是利用权限绕过acl。

关键字：ACL,ACE,DACL,TOKEN,SID,PRIVILEGE

申明：谨以此文，献给陈静。

一.基本概念(这部分介绍的是令牌，ACL等基本概念，是为第二部分做准备，如果你已经了解其内容，请跳过这一部分)

1.什么是令牌(TOKEN)

当用户登录到Windows NT//XP，同时通过了身份认证，此时将会由系统为该用户分配一个令牌。令牌是一个数据结构，用于由所有该用户激活的进程和线程。令牌的结构如下图：

Token source

Impersonation Type

Token ID

Authentication ID

Modified ID

Expiration Time

Default Primary Group

Default DACL

User Account SID

Group 1 SID

......

Group n SID

Restricted SID 1

......

Restricted SID n

Privilege 1

......

Prililege n

这样看不太容易理解。我们来看一个实例，使用win2000 resource kit中的whoami.exe来查看当前用户的访问令牌(Access Token)中的详细信息

C:>whoami /all

[User] = “DARKDEAMONAdministrator” S-1-5-21-1409082233-1957994488-47230797

1-500

[Group 1] = “DARKDEAMONNone” S-1-5-21-1409082233-1957994488-472307971-513

[Group 2] = “Everyone” S-1-1-0

[Group 3] = “BUILTINAdministrators” S-1-5-32-544

[Group 4] = “BUILTINUsers” S-1-5-32-545

[Group 5] = “NT AUTHORITYINTERACTIVE” S-1-5-4

[Group 6] = “NT AUTHORITYAuthenticated Users” S-1-5-11

[Group 7] = “LOCAL” S-1-2-0

(X) SeChangeNotifyPrivilege =

(O) SeSecurityPrivilege =

(O) SeBackupPrivilege =

(O) SeRestorePrivilege =

(O) SeSystemtimePrivilege =

(O) SeShutdownPrivilege =

(O) SeRemoteShutdownPrivilege =

(O) SeTakeOwnershipPrivilege =

(O) SeDebugPrivilege =

(O) SeSystemEnvironmentPrivilege =

(O) SeSystemProfilePrivilege =

(O) SeProfileSingleProcessPrivilege =

(O) SeIncreaseBasePriorityPrivilege =

(X) SeLoadDriverPrivilege =

(O) SeCreatePagefilePrivilege =

(O) SeIncreaseQuotaPrivilege =

(X) SeUndockPrivilege =

(O) SeTcbPrivilege =

C:>

这就是我的令牌中的信息，它包括我的SID，属于的组，具有的权限的详细列表等信息。所以可见，令牌决定了一个用户在一台计算机上所具有的能力。

2.安全性标志符(SID)

SID是在创建一个用户或组的时候由系统分配的，是唯一的。当一个本地用户登录时，SID将由系统从SAM中的用户数据库中取出。

关于SID的结构可以参照《INSIDE WINDOWS2000》里的一段：

A SID is a variable-length numeric value that consists of a SID structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values.

下面是一些系统内置的SID

Well-Known SIDs

SID

Group

Use

S-1-1-0

Everyone

A group that includes all users.

S-1-2-0

Local

Users who log on to terminals locally (physically) connected to the system.

S-1-3-0

Creator Owner ID

A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable access-control entries (ACEs).

S-1-3-1

Creator Group ID

Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs.

SID结尾的数字是RID(relative identifier)。500表示是管理员组，GUEST组的是501

ADAM提出的克隆管理员帐号就是在SID上做手脚，把一个帐号的SID的RID克隆成500，这样系统就会认为是管理员了。

一个完整的SID的结构可以参看上面令牌中的SID。

S-1-5-21-1409082233-1957994488-472307971-500

3.什么是访问控制列表(ACL)

ACL(access control list)从字面的意思很好理解。一个系统通过ACL来判断用户对资源的何种程度的访问。由两种类型的ACL：DACL(Discretionary Access Control List)和SACL(System Access Control List)。DACL包括户和组的列表，以及相应的权限，允许或是拒绝，用来确定对资源的访问权限。SACL则用来确定安全资源的审核策略。ACL由零个或多个ACE(Access Control Entries)组成，一个ACE包括一个SID和该SID可访问资源的描述，比如允许和拒绝，拒绝优先于允许。

在win2000 resource kit中有几个工具是关于acl的，较为典型的是xcacls。下面是一个用xcacls查看acl的例子

C:Program FilesResource Kit>xcacls whoami.exe

C:Program FilesResource Kitwhoami.exe BUILTINUsers:R

BUILTINPower Users:C

BUILTINAdministrators:F

NT AUTHORITYSYSTEM:F

NT AUTHORITYTERMINAL SERVER USER:C

C:Program FilesResource Kit>

其他的关于acl的工具还有svcacls.exe,showacls以及subinacl.exe等。这里不再一一赘述。

4.权限(privilege)

简单来说，权限是系统赋予用户的一定的权力，它们允许或者不允许某些影响整个计算机系统而非某一对象的特权操作。下面的表格列出了系统的一些权限和功能。

Privilege

Windows Privilege

Description

SeTcbPrivilege

Act as part of the operating system

Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege.

SeMachineAccountPrivilege

Add computers to a domain

Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain.

SeBackupPrivilege

Back up files and directories

Allows the user to circumvent file and directory permissions to back up the system. The privilege is checked only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.

By default, this privilege is assigned to Administrators and Backup Operators. See also Restore files and directories in this table.

SeChangeNotifyPrivilege

Bypass traverse checking

Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.

By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.

SeSystemTimePrivilege

Change the system time

Allows the user to set the time for the internal clock of the computer.

By default, this privilege is assigned to Administrators and Power Users.

SeCreatePagefilePrivilege

Create a page filepagefile

Allows the user to create and change the size of a page file.

By default, this privilege is assigned to Administrators.

SeCreateTokenPrivilege

Create a token object

Allows a process to create an access token by calling NtCreateToken or other token-creating APIs.

SeCreatePermanentPrivilege

Create permanent shared objects

Allows a process to create a directory object in the Windows 2000 object manager.

SeDebugPrivilege

Debug programs

Allows the user to attach a debugger to any process.

By default, this privilege is assigned to Administrators.

SeEnableDelegationPrivilege

Enable computer and user accounts to be trusted for delegation

Allows the user to change the Trusted for Delegation setting on a User or Computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.

SeRemoteShutdownPrivilege

Force shutdown from a remote system

Allows a user to shut down a computer from a remote location on the network. See also Shut down the system in this table.

By default, this privilege is assigned to Administrators.

SeAuditPrivilege

Generate security audits

Allows a process to create, generate, and add entries in the security log. The security log is used to trace unauthorized system access. See also Manage auditing and security log in this table.

SeIncreaseQuotaPrivilege

Increase quotas

Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack.

By default, this privilege is assigned to Administrators.

SeIncreaseBasePriorityPrivilege

Increase scheduling priority

Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box.

By default, this privilege is assigned to Administrators.

SeLoadDriverPrivilege

Load and unload device drivers

Allows a user to install and uninstall Plug and Play device drivers. Device drivers that are not Plug and Play are not affected by this privilege and can be installed only by Administrators. Because device drivers run as trusted (highly privileged) programs, this privilege can be misused to install hostile programs and give them destructive access to resources.

By default, this privilege is assigned to Administrators.

SeLockMemoryPrivilege

Lock pages in memory

Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege can significantly degrade system performance. This privilege is obsolete and is therefore never selected.

SeSecurityPrivilege

Manage auditing and security log

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege can also view and clear the security log from Event Viewer.

By default, this privilege is assigned to Administrators.

SeSystemEnvironmentPrivilege

Modify firmware environment values

Allows modification of system environment variables either by a process through an API or by a user through System Properties.

By default, this privilege is assigned to Administrators.

SeProfileSingleProcessPrivilege

Profile a single process

Allows a user to run Microsoft® Windows NT® and Microsoft® Windows® 2000 performance-monitoring tools to monitor the performance of nonsystem processes.

By default, this privilege is assigned to Administrators and Power Users.

SeSystemProfilePrivilege

Profile system performance

Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes.

By default, this privilege is assigned to Administrators.

SeUndockPrivilege

Remove computer from docking station

Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.

By default, this privilege is assigned to Administrators, Power Users, and Users.

SeAssignPrimaryTokenPrivilege

Replace a process-level token

Allows a parent process to replace the access token associated with a child process.

SeRestorePrivilege

Restore files and directories

Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. See also Back up files and directories in this table.

By default, this privilege is assigned to Administrators and Backup Operators.

SeShutdownPrivilege

Shut down the system

Allows a user to shut down the local computer. See also Force shutdown from a remote system in this table. In Windows 2000 Professional:

By default, this privilege is assigned to Administrators, Backup Operators, Power Users, and Users. In Windows 2000 Server:

By default, this privilege is not assigned to Users, only to Administrators, Backup Operators, and Power Users.

SeSynchAgentPrivilege

Synchronize directory service data

Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers.

By default, this privilege is assigned to Administrators and LocalSystem accounts on domain controllers.

SeTakeOwnershipPrivilege

Take ownership of files or other objects

Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

By default, this privilege is assigned to Administrators.

二.一些安全问题

1.利用备份权限绕过访问控制

系统备份员(Backup Operators)和管理员(Administrator)具有一项权限：SeBackupPrivilege

利用该权限可以访问正常情况下被拒绝访问的文件，

当在ACL中设置拒绝某帐号读取文件时，一个备份程序可以在调用Createprocess时，通过设置FILE_FLAG_BACKUP_SEMANTICS的标志来对文件进行读取。

按照《writng secure code》一书给出的代码如下

1. 假设你具有SeBackupPrivilege权限。

2. 创建一个txt文件，内容为：writings this for cj

3. 添加一个全部拒绝该用户访问的ACE。

现在，试着打开该文件，将会出现拒绝访问的提示。现在，编译下面这段代码(来自《writng secure code》)

/*

WOWAccess.cpp

*/

#include

#include

int EnablePriv (char *szPriv) {

HANDLE hToken = 0;

if (!OpenProcessToken(GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES,

&hToken)) {

printf(“OpenProcessToken() failed ->%d”, GetLastError());

return -1;

}

TOKEN_PRIVILEGES newPrivs;

if (!LookupPrivilegeValue (NULL, szPriv,

&newPrivs.Privileges[0].Luid)) {

printf(“LookupPrivilegeValue() failed ->%d”, GetLastError());

CloseHandle (hToken);

return -1;

}

newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

newPrivs.PrivilegeCount = 1;

if (!AdjustTokenPrivileges(hToken, FALSE, &newPrivs, 0, NULL, NULL)) {

printf(“AdjustTokenPrivileges() failed ->%d”, GetLastError());

CloseHandle (hToken);

return -1;

}

CloseHandle (hToken);

return 0;

}

void DoIt(char *szFileName, DWORD dwFlags) {

printf(“Attempting to read %s, with 0x%x flags”,

szFileName, dwFlags);

HANDLE hFile = CreateFile(szFileName,

GENERIC_READ, FILE_SHARE_READ,

NULL, OPEN_EXISTING,

dwFlags,

NULL);

if (hFile == INVALID_HANDLE_VALUE) {

printf(“CreateFile() failed ->%d”, GetLastError());

return;

}

char buff[128];

DWORD cbRead=0, cbBuff = sizeof buff;

ZeroMemory(buff, sizeof buff);

if (ReadFile(hFile, buff, cbBuff, &cbRead, NULL)) {

printf(“Success, read %d bytesText is: %s”,

cbRead, buff);

} else {

printf(“ReadFile() failed ->%d”, GetLastError());

}

CloseHandle(hFile);

}

void main(int argc, char* argv[]) {

if (argc < 2) {

printf(“Usage: %s ”, argv[0]);

return;

}

// Need to enable backup priv first.

if (EnablePriv(SE_BACKUP_NAME) == -1)

return;

// Try with no backup flag - should get access denied.

DoIt(argv[1], FILE_ATTRIBUTE_NORMAL);

// Try with backup flag - should work!

DoIt(argv[1], FILE_ATTRIBUTE_NORMAL │ FILE_FLAG_BACKUP_SEMANTICS);

}

运行情况如下

C:>bkp

Usage: bkp

C:>bkp test.txt

Attempting to read test.txt, with 0x80 flags

CreateFile() failed ->5

Attempting to read test.txt, with 0x2000080 flags

Success, read 20 bytes

Text is: writings this for cj

C:>

如上，使用了备份的标志后(with 0x2000080 flags)就可以访问开始拒绝访问的文件了。

2.利用SeTakeOwnershipPrivilege权限绕过访问控制

在我的计算机上，tt是一个普通的user帐号，当给他添加上SeTakeOwnershipPrivilege后，就可以绕过原来的访问控制，比如，对system32目录下就可以添加完全控制的ACE，从而可以任意复制文件。对Document and Settings目录下也可以如法炮制，那么，给管理员下个套就是很简单的事情了。下面是实现过程

首先看下tt所具有的权限

C:>whoami /all

[User] = “DARKDEAMON t” S-1-5-21-1409082233-1957994488-472307971-1013

[Group 1] = “DARKDEAMONNone” S-1-5-21-1409082233-1957994488-472307971-513

[Group 2] = “Everyone” S-1-1-0

[Group 3] = “BUILTINUsers” S-1-5-32-545

[Group 4] = “NT AUTHORITYINTERACTIVE” S-1-5-4

[Group 5] = “NT AUTHORITYAuthenticated Users” S-1-5-11

[Group 6] = “LOCAL” S-1-2-0

(O) SeCreatePagefilePrivilege =

(O) SeAssignPrimaryTokenPrivilege =

(O) SeCreateTokenPrivilege =

(O) SeAuditPrivilege =

(X) SeUndockPrivilege =

(O) SeTakeOwnershipPrivilege =

(X) SeChangeNotifyPrivilege =

C:>

可以看到已经添加了SeTakeOwnershipPrivilege权限,下面,将演示如何取得对system32目录的完全控制

这是修改前的结果.

下面我们来更改目录的所有者以得到完全控制.

现在可以看到更改所有者已经激活,所以我们只需要更改所有者就可以取得完全控制了。而在这个权限添加以前是无法进行这项操作的。

3.利用SeDebugPrivilege权限来做坏事

这个权限是极为危险的。它允许用户通过调试进程来访问秘密数据。典型的例子就是findpass。利用SeDebugPrivilege调试winlogon进程来获得明文存储在里面的域名和密码。

另一个典型的例子就是LSADUMP2，通过使用CreateRemoteThread函数来在LSASS.EXE进程中读取已经经过LSA解密的私有数据代码，从而查看LSA中存储的秘密信息。

4.更进一步

管理员(Administrator)默认具有16个权限

SeChangeNotifyPrivilege

SeSecurityPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeSystemtimePrivilege

SeShutdownPrivilege

SeRemoteShutdownPrivilege

SeTakeOwnershipPrivilege

SeDebugPrivilege

SeSystemEnvironmentPrivilege

SeSystemProfilePrivilege

SeProfileSingleProcessPrivilege

SeIncreaseBasePriorityPrivilege

然而，SeTcbPrivilege和SeCreateTokenPrivilege两个权限管理员缺省是没有的. SeTcbPrivilege是具有操作系统的一部分来工作的权限，,SeCreateTokenPrivilege更为任意令牌创建权限!拥有了这两个权限,用Lu0的话来说，就是可以超越administrator!

从而提出另一种克隆管理员帐号的途径：克隆管理员的权限，甚至包括SeTcbPrivilege和SeCreateTokenPrivilege两个权限!

在这里使用到RESOURCE KIT中的一个工具：ntrights.exe

通过这个工具可以给指定帐号和组添加权限。

下面是ntrights.exe的说明

ntrights {-r Right │ +r Right} -u UserOrGroup [-m Computer] [-e Entry] [-?]

Where:

-r Right

revokes Right from specified user or group. For a full list, see Windows 2000 Rights.

+r Right

grants Right to specified user or group. For a full list, see Windows 2000 Rights.

-u UserOrGroup

specifies the user or group for whom rights are to be granted or revoked.

-m Computer

specifies the computer (machine) on which to perform. the operation. The default is the local computer.

-e Entry

adds a text string Entry to the computers event log.

-?

displays a syntax screen at the command prompt.

下面是使用实例，

C:>ntrights +r SeDebugPrivilege -u tt

Granting SeDebugPrivilege to tt ... successful

C:>

这样就成功给tt添加了SeDebugPrivilege的权限，其他权限也可以照样添加。如果是去除权限，则只需把+r变成-r就可以了。

这样就实现了另一种意义上的克隆帐号，不过这样得到权限后仍然不能启动服务或添加帐号，比如net user ttt /add时发生拒绝错误，不知道这条命令是否会检查当前用户的SID，所以产生失败，还请高手指示。

三.后记

罗嗦写了这么多，是出于学习的目的，用wawa的话来说就是在写的过程中获益不少。由于水平有限，内容不免有错误之处，还请高手指正。

相关工具下载：

whoami: www.3389.net/download/whoami.exe

xcacls: www.3389.net/download/xcacl.exe

bkp: www.3389.net/download/bkp.exe

ntrights: www.3389.net/download/ntrights.exe

findpass: www.3389.net/download/findpass.zip

lsadump2: www.3389.net/download/lsadump2.zip