Beta Book

cd c:\documents and settings\jness
Access Denied!
The restricted token does not allow access to my own user profile.
dir c:\program files\internet explorer\iexplore.exe
The restricted token does allow access to program files.
c:\debuggers\ntsd
Debugging the process launched with the restricted token works fine.
c:\debuggers\ntsd
Access Denied!
Debugging the MSN Messenger launched with a normal token fails!
As we continue in this chapter, think about how a clever hacker running on the desktop
of an Administrator but running in a process with a restricted token could break out
of restricted token jail and run with a normal, privileged token. (Hint: The desktop is the
security boundary.)
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
393
Figure 16-3 Restricted token
Security Descriptor (SD)
It??™s important to understand the token because that is half of the AccessCheck operation,
the operation performed by the operating system anytime access to a securable object is
requested. The other half of the AccessCheck operation is the security descriptor (SD) of
the object for which access is being requested. The security descriptor describes the security
protections of the object by listing all the entities that are allowed access to the
object.


Pages:
685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709