问题
I'm curious from a security standpoint, how bad is it to do what I describe below?
I need to launch an elevated process in an interactive logon user session from my local service. This process merely exists as a message-only GUI window, which is never visible to the user, and it's class name is randomized every time the process starts.
It speeds things up if I run this process with the user token of the local service as such:
//Pseudo-code, error checks are omitted for brevity
//This code is run from a local-service with SYSTEM credentials
PSID gpSidMIL_High;
ConvertStringSidToSid(L"S-1-16-12288", &gpSidMIL_High);
HANDLE hToken, hToken2;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hToken2);
SetTokenInformation(hToken2, TokenSessionId, &userSessionID, sizeof(userSessionID));
DWORD dwUIAccess = 1;
SetTokenInformation(hToken2, TokenUIAccess, &dwUIAccess, sizeof(dwUIAccess));
//Set "high" mandatory integrity level
TOKEN_MANDATORY_LABEL tml = {0};
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = gpSidMIL_High;
SetTokenInformation(hToken2, TokenIntegrityLevel, &tml, sizeof(TOKEN_MANDATORY_LABEL) + ::GetSidLengthRequired(1));
CreateEnvironmentBlock(&pEnvBlock, hToken2, FALSE);
ImpersonateLoggedOnUser(hToken2);
CreateProcessAsUser(hToken2,,,,,,,pEnvBlock,,);
RevertToSelf();
//Clean-up
DestroyEnvironmentBlock(pEnvBlock);
CloseHandle(hToken2);
CloseHandle(hToken);
LocalFree(gpSidMIL_High);
回答1:
Looks pretty bad. The process has way too much rights. The process is at the risk of being hijacked by the user in whose session you run, which would give him SYSTEM rights that he generally does not own.
The proper design is to have the hook process be capable of doing nothing. Communicate the keyboard events back to the service. Your hook doesn't need to be SYSTEM for this. It's probably wise to call AdjustTokenPrivileges to irrevocably drop all privileges (which you don't need). Even if your hook process was hijacked, it can't regain those privileges.
来源:https://stackoverflow.com/questions/38429908/do-i-jeopardize-security-of-the-system-if-i-start-a-logon-user-process-with-the