-1

I have two applications:

first one: running with SYSTEM Privileges started by a service and the second one: running still as SYSTEM but with lower privileges (SE_GROUP_INTEGRITY = "S-1-16-4096")

I want both applications to communicate over sharedmemory. Both need to read and write.

In my first application i create the filemapping with specific SECURITY_ATTRIBUTES i learned from this post: How to share memory between services and user processes?

SECURITY_ATTRIBUTES attributes;
ZeroMemory(&attributes, sizeof(attributes));
attributes.nLength = sizeof(attributes);
ConvertStringSecurityDescriptorToSecurityDescriptor(
    L"D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GWR;;;IU)",
    SDDL_REVISION_1,
    &attributes.lpSecurityDescriptor,
    NULL);
HANDLE test = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 1024, "Global\\Test");

Everything works as expected, but if i then try to open the file mapping in my second application, it crashes with an access violation at OpenFileMapping.

HANDLE test = OpenFileMapping(FILE_ALL_ACCESS, FALSE, 1024, "Global\\Test");
StillWaters77
  • 15
  • 1
  • 4
  • 1
    Actually crashing or just failing? You seem to be mixing Ansi and Unicode, post your real code that actually compiles. – Anders May 03 '19 at 21:24
  • 1
    `OpenFileMapping` takes only 3 arguments: `dwDesiredAccess`, `bInheritHandle`, and `lpName`. Also, the requested access should be `FILE_MAP_ALL_ACCESS` (0x000F001F), not `FILE_ALL_ACCESS` (0x001F01FF). – Eryk Sun May 03 '19 at 21:38
  • 1
    Also, don't assume that SeCreateGlobalPrivilege is enabled, even if it should be enabled by default. Make sure the service enables it for the process at startup. – Eryk Sun May 03 '19 at 21:47
  • 1
    you need use mamdatory label in security descriptor. sat *D:PNO_ACCESS_CONTROLS:(ML;;NW;;;LW)* – RbMm May 03 '19 at 22:19
  • 1
    and you not use `attributes` in call `CreateFileMapping` – RbMm May 03 '19 at 22:33
  • @eryksun thank you that was a really stupid mistake! – StillWaters77 May 04 '19 at 12:57

1 Answers1

1

if you want allow access to object for Low Integrity code you need add Low mandatory level (SDDL_ML_LOW) Integrity label (SDDL_MANDATORY_LABEL) to security descriptor. for example 

"D:PNO_ACCESS_CONTROLS:(ML;;NW;;;LW)"

so in general code is next:

ULONG CreateSectionWithLowAccess(PHANDLE SectionHandle, ULONG dwMaximumSize, PCWSTR lpName)
{
    SECURITY_ATTRIBUTES sa = { sizeof(sa) };

    if (ConvertStringSecurityDescriptorToSecurityDescriptorW(L"D:PNO_ACCESS_CONTROLS:(ML;;NW;;;LW)", 
        SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL))
    {
        *SectionHandle = CreateFileMappingW(INVALID_HANDLE_VALUE, &sa, PAGE_READWRITE, 0, dwMaximumSize, lpName);

        LocalFree(sa.lpSecurityDescriptor);

        return *SectionHandle ? NOERROR : GetLastError();
    }

    return GetLastError();
}
RbMm
  • 31,280
  • 3
  • 35
  • 56