I recently came up with a completely brand new way to start processes on Microsoft Windows that's never been done before. Specifically, starting a child process of a non-elevated user as a completely different user. For those who want to understand and learn new things, here's an in-depth video on how it all works:
The video covers the complex topic of Microsoft Windows security objects, moves into looking at security objects with the CubicleSoft GetTokenInformation tool, trash talks Microsoft a few times, gets into a very brief demo of some major enhancements of the CubicleSoft CreateProcess command-line tool, and finally covers how the new enhancements to the CreateProcess command-line tool work under the hood.
In the video though, I only briefly demo the CreateProcess tool. That may be a slight disservice to the work that was done. So in this post, I want to cover some of the really cool things that were hand-waved over.
First off, did you know that an Administrator user is NOT the most powerful user account in Microsoft Windows? Yup. It's true. Most people don't know that NT AUTHORITY\SYSTEM is a far more powerful account. However, even that account is NOT the most powerful user account in the system! Microsoft Windows, by design, prevents most security tokens from having every privilege available. For example, very few processes get SeCreateTokenPrivilege. However, NT AUTHORITY\SYSTEM is sufficiently powerful to do almost anything.
What makes the method described in the video for starting processes unique and original is that the started processes are a child process of the original process regardless of elevation level. Elevation was introduced in Windows Vista with UAC elevation prompts. That is, those boxes that ask if an Administrator wants to start a program. Basically, even if you are logged in as an Administrator, your account runs as a slightly less privileged user on the system aka a non-elevated security token. Elevation is the process whereby the user tells Windows they want to start a program with an Administrator's fully privileged security token. The resulting newly created process runs within a different security context in the same session. However, the bog-standard elevation method has several problems with it that are covered in the video.
Elevation, though, is nothing new or special. What is new and special is the ability to start child processes as completely different users with completely different security tokens in the same session (and console) as the original process even if that process is not elevated. Here's the example usage from the CreateProcess repository:
C:\>whoami my-pc\john-doh C:\>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled C:\>set MYVAR=123 C:\>createprocess /w /systemtoken /mergeenv C:\Windows\System32\cmd.exe Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\>whoami nt authority\system C:\>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======== SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeDebugPrivilege Debug programs Enabled ... [It's a fairly lengthy list of powerful privileges] SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled C:\>set MYVAR MYVAR=123
A command prompt goes from a non-elevated user to NT AUTHORITY\SYSTEM! That's pretty wild. The same procedure can also elevate to Administrator with /elevatedtoken instead of /systemtoken.
If you've ever been annoyed with having to right-click to start a Command Prompt/Powershell window and then "Start as Administrator" to get an Administrator prompt, well now you don't have to. With a simple command-line script + the CreateProcess tool, this can effectively be 'sudo' for Windows. Plus using /mergeenv passes a merged environment of the parent process to the target process, which preserves things like the current drive and directory you are in.
Overall, this is a huge deal. This has never been done before and enables some rather powerful functionality in Windows and it's accomplished without any bypasses/hacks/exploits. That is, it's baked into the Windows core. The procedure is just so complex that no one's bothered to implement it until now. Of course, with great power comes greater responsibility to wield that power appropriately.
Comments
Post a Comment