aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--attacksurface.md1
-rw-r--r--main.go4
-rw-r--r--service/service_tunnel.go2
-rw-r--r--service/tokens.go2
4 files changed, 7 insertions, 2 deletions
diff --git a/attacksurface.md b/attacksurface.md
index f843cc75..f2b56d08 100644
--- a/attacksurface.md
+++ b/attacksurface.md
@@ -36,6 +36,7 @@ The manager service is a userspace service running as Local System, responsible
The UI is a process running for each user who is in the Administrators group (per the above), running with the elevated high integrity linked token. It exposes:
- Since the UI process is executed with an elevated token, it runs at high integrity and should be immune to various shatter attacks, modulo the great variety of clever bypasses in the latest Windows release.
+ - It uses `AdjustTokenPrivileges` to remove all privileges.
- It renders highlighted config files to a msftedit.dll control, which typically is capable of all sorts of OLE and RTF nastiness that we make some attempt to avoid.
### Updates
diff --git a/main.go b/main.go
index 0ed7bfa8..fa6d4e53 100644
--- a/main.go
+++ b/main.go
@@ -171,6 +171,10 @@ func main() {
if len(os.Args) != 6 {
usage()
}
+ err := service.DropAllPrivileges()
+ if err != nil {
+ fatal(err)
+ }
readPipe, err := pipeFromHandleArgument(os.Args[2])
if err != nil {
fatal(err)
diff --git a/service/service_tunnel.go b/service/service_tunnel.go
index 3c09ed77..be1eff69 100644
--- a/service/service_tunnel.go
+++ b/service/service_tunnel.go
@@ -151,7 +151,7 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest,
}
logger.Info.Println("Dropping all privileges")
- err = dropAllPrivileges()
+ err = DropAllPrivileges()
if err != nil {
serviceError = ErrorDropPrivileges
return
diff --git a/service/tokens.go b/service/tokens.go
index dba4cd62..f203f268 100644
--- a/service/tokens.go
+++ b/service/tokens.go
@@ -61,7 +61,7 @@ func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
return isAdmin
}
-func dropAllPrivileges() error {
+func DropAllPrivileges() error {
processHandle, err := windows.GetCurrentProcess()
if err != nil {
return err
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.