From a464a86c6d8368df784a365c88fbc279a737c87c Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Wed, 15 May 2019 13:00:56 +0200 Subject: service: move WTS upstream Signed-off-by: Jason A. Donenfeld --- attacksurface.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'attacksurface.md') diff --git a/attacksurface.md b/attacksurface.md index d9b32f5a..f843cc75 100644 --- a/attacksurface.md +++ b/attacksurface.md @@ -29,7 +29,7 @@ The manager service is a userspace service running as Local System, responsible - A readable `CreateFileMapping` handle to a binary ringlog shared by all services, inherited by the UI process. - It listens for service changes in tunnel services according to the string prefix "WireGuardTunnel$". - It manages DPAPI-encrypted configuration files in Local System's local appdata directory, and makes some effort to enforce good configuration filenames. - - It uses `WTSEnumerateSessions` and `WTS_SESSION_NOTIFICATION` to walk through each available session. It then uses `WTSQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, and has attributes of either `SE_GROUP_ENABLED` or `SE_GROUP_USE_FOR_DENY_ONLY` and calling `GetTokenInformation(TokenElevation)` on it or its `TokenLinkedToken` indicates that either is elevated, then it spawns the UI process as that the elevated user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as described above. + - It uses `WTSEnumerateSessions` and `WTSSESSION_NOTIFICATION` to walk through each available session. It then uses `WTSQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, and has attributes of either `SE_GROUP_ENABLED` or `SE_GROUP_USE_FOR_DENY_ONLY` and calling `GetTokenInformation(TokenElevation)` on it or its `TokenLinkedToken` indicates that either is elevated, then it spawns the UI process as that the elevated user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as described above. ### UI -- cgit v1.2.3-59-g8ed1b