path: root/attacksurface.md
diff options
authorJason A. Donenfeld <Jason@zx2c4.com>2019-05-15 13:03:16 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2019-05-15 13:04:10 +0200
commitc883f79c9cbe950c3b7bafb0be189b4d075f9f50 (patch)
tree4ee114995fcf5989ea5d494ae8e276e52ba668c3 /attacksurface.md
parentservice: move WTS upstream (diff)
ui: drop permissions
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'attacksurface.md')
1 files changed, 1 insertions, 0 deletions
diff --git a/attacksurface.md b/attacksurface.md
index f843cc75..f2b56d08 100644
--- a/attacksurface.md
+++ b/attacksurface.md
@@ -36,6 +36,7 @@ The manager service is a userspace service running as Local System, responsible
The UI is a process running for each user who is in the Administrators group (per the above), running with the elevated high integrity linked token. It exposes:
- Since the UI process is executed with an elevated token, it runs at high integrity and should be immune to various shatter attacks, modulo the great variety of clever bypasses in the latest Windows release.
+ - It uses `AdjustTokenPrivileges` to remove all privileges.
- It renders highlighted config files to a msftedit.dll control, which typically is capable of all sorts of OLE and RTF nastiness that we make some attempt to avoid.
### Updates