In the last post, we talked about mutex objects and how to enumerate them. Today we’ll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutex.cs.
Let’s see an example using WinDBG. First query the “BaseNamedObjects” directory that usually contains mutex objects:
lkd> !object BaseNamedObjects Object: e18ce788 Type: (823ed418) Directory ObjectHeader: e18ce770 (old version) HandleCount: 71 PointerCount: 593 Directory Object: e1001150 Name: BaseNamedObjects Hash Address Type Name ---- ------- ---- ---- 00 e15a8880 SymbolicLink Local 81e996d0 Event userenv: Machine Group Policy has been applied 82286598 Mutant SHIMLIB_LOG_MUTEX 82308700 Mutant ZonesCacheCounterMutex e1dfe298 Section CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-412668190-839522115-500 817e3ea0 Timer userenv: refresh timer for 1048:768 e1f12ed8 Section MSCTF.MarshalInterface.FileMap.MPJ.DI.HDGDJDJ 813f90d0 Event CorDBIPCLSEventReadName_5752 e25994a8 Section Cor_Private_IPCBlock_4760 e2319518 Section Cor_Private_IPCBlock_4448 e1fc1818 Section MSCTF.MarshalInterface.FileMap.ILD.FOB.FNOEBJE 8231e468 Event userenv: machine policy force refresh event 82196f50 Event jjCSCSessEvent_UM_KM_0 82111148 Event AgentToWkssvcEvent
Now query one of them:
lkd> !object BaseNamedObjectsSHIMLIB_LOG_MUTEX Object: 82286598 Type: (823c55e0) Mutant ObjectHeader: 82286580 (old version) HandleCount: 8 PointerCount: 9 Directory Object: e18ce788 Name: SHIMLIB_LOG_MUTEX
And query the object header at 82286580:
lkd> dt nt!_OBJECT_HEADER 82286580 +0x000 PointerCount : 9 +0x004 HandleCount : 8 +0x004 NextToFree : 0x00000008 +0x008 Type : 0x823c55e0 _OBJECT_TYPE +0x00c NameInfoOffset : 0x10 '' +0x00d HandleInfoOffset : 0 '' +0x00e QuotaInfoOffset : 0 '' +0x00f Flags : 0x20 ' ' +0x010 ObjectCreateInfo : 0x8055a000 _OBJECT_CREATE_INFORMATION +0x010 QuotaBlockCharged : 0x8055a000 +0x014 SecurityDescriptor : 0xe1756a7e +0x018 Body : _QUAD
The security descriptor is at 0xe1756a7e so, convert it:
lkd> ?? 0xe1756a7e & ~0x7 unsigned int 0xe1756a78
And then we can check the information we wanted:
lkd> !sd 0xe1756a78 0 ->Revision: 0x1 ->Sbz1 : 0x0 ->Control : 0x8004 SE_DACL_PRESENT SE_SELF_RELATIVE ->Owner : S-1-5-32-544 ->Group : S-1-5-18 ->Dacl : ->Dacl : ->AclRevision: 0x2 ->Dacl : ->Sbz1 : 0x0 ->Dacl : ->AclSize : 0x44 ->Dacl : ->AceCount : 0x2 ->Dacl : ->Sbz2 : 0x0 ->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ->Dacl : ->Ace[0]: ->AceFlags: 0x0 ->Dacl : ->Ace[0]: ->AceSize: 0x14 ->Dacl : ->Ace[0]: ->Mask : 0x001f0001 ->Dacl : ->Ace[0]: ->SID: S-1-5-18 ->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ->Dacl : ->Ace[1]: ->AceFlags: 0x0 ->Dacl : ->Ace[1]: ->AceSize: 0x18 ->Dacl : ->Ace[1]: ->Mask : 0x00120001 ->Dacl : ->Ace[1]: ->SID: S-1-5-32-544 ->Sacl : is NULL
So now that we now how to check an object ACL via WinDBG, let’s take advantage of .NET classes inside System.Security.AccessControl namespace to query objects ACL’s.
We can query a previously created mutex object via Mutex.OpenExisting method:
[SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)] public static Mutex OpenExisting( string name, MutexRights rights )
We’ll use MutexRights.ReadPermissions to be able to read ACL information and then call Mutex.GetAccessControl to read access control information.
Here is the EnumerateMutex example extended to print ACL information from mutexs inside object directories:
- Source Code
http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutexACL.cs - Binary
http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutexACL.exe
(Tested on Windows XP SP2 and Windows 7)
Example:
This method can be useful to identify weak ACL’s that can lead to a local Denial of Service. Example Winsock Mutex Vulnerability