NULL DACL
APIs that create objects will use a reasonable default DACL if the programmer doesn??™t specify
a DACL. You??™ll see the default DACL over and over again as you audit different objects.
However, if a programmer explicitly requests a NULL DACL, everyone is granted access.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
408
More specifically, any desired access requested through the AccessCheck function will
always be granted. It??™s the same as creating a DACL granting Everyone full control.
Even if software intends to grant every user complete read/write access to a resource,
it??™s still not smart to use a NULL DACL. This would grant any users WriteOwner, which
would give them WRITE_DAC, which would allow them to deny everyone else access.
Investigating ???Access Denied???
When testing access control, try to always enumerate the token and ACL so you can
think through the AccessCheck yourself. Try not to rely on common applications to test
access. For example, if type secret.txt returns ???access denied,??? it??™d be logical to think you
have been denied FILE_READ_DATA access, right?Well, let??™s walk through that scenario
and see what else could be the case.
For this example scenario, we??™ll create a new file, lock down access to that file, and
then investigate the access granted to determine why the AccessCheck function returns
???access denied??? when we use the built-in type utility to read the file contents.
Pages:
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729