Research and Development

Inspired by GRSecurity‘s analysis of the Linux capabilities model, I thought I’d take a quick look at how Windows fares. The following is a brief analysis of the threats associated with each Se* privilege.

To be clear, the context of this analysis is the case where you land in a service account that has one or more of these privileges. It should be acknowledged that if you land in a privileged account then you can request and then use any of these privileges to perform horizontal privilege traversal to other users on the host or domain. A good example might be a service which otherwise runs with an unprivileged account but which has been granted access to SeDebugPrivilege via the local security policy.

Privilege Group/local security policy Description Practical attack Tool
SeCreateTokenPrivilege Create a token object Allows a process to create an access token by calling NtCreateToken() or other token token-creating APIs. ? ?
SeAssignPrimaryTokenPrivilege Replace a process-level token Allows a parent process to replace the access token that is associated with a child process. Attacker exploits an application that has an impersonation token and uses it to spawn another process as the impersonated user. Incognito, Churrasco
SeLockMemoryPrivilege Lock pages in memory Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. ? ?
SeIncreaseQuotaPrivilege Increase quotas Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack. ? ?
SeUnsolicitedInputPrivilege ? Required to read unsolicited input from a terminal device. It is obsolete and unused. it has no effect on the system. ? ?
SeMachineAccountPrivilege Add workstations to the domain Allows a user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain. ? ?
SeTcbPrivilege Act as part of the operating system This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. ? ?
SeSecurityPrivilege Manage auditing and security log Determines which users can specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. ? ?
SeTakeOwnershipPrivilege Take ownership of files or other objects? Allows the user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, Registry keys, processes, and threads. Take ownership of a file that would otherwise be inaccessible TakeOwn – part of Windows
SeLoadDriverPrivilege Load and unload device drivers Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; only Administrators can install these device drivers. Note that device drivers run as Trusted (highly privileged) processes; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. Create a malicious plug and play device? ?
SeSystemProfilePrivilege Profile system performance Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes. User runs performance monitoring tools and infers what other users are doing from the resource usage profile Standard tools that come with Windows –
SeSystemtimePrivilege Change the system time Allows the user to set the time for the internal clock of the computer. ? ?
SeProfileSingleProcessPrivilege Profile a single process Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes. ? ?
SeIncreaseBasePriorityPrivilege Increase scheduling priority Allows a process that has Write Property access to another process to increase the execution priority of the other process. ? ?
SeCreatePagefilePrivilege Create a pagefile Allows the user to create and change the size of a pagefile. ? ?
SeCreatePermanentPrivilege Create permanent shared objects Allow a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege; it is not necessary to assign it to them. ? ?
SeBackupPrivilege Backup files and directories Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface. Otherwise normal file and directory permissions apply. Copy files NSCopy
SeRestorePrivilege Restore files and directories Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. Change permissions, probably over write too SetOwner
SeShutdownPrivilege Shutdown the system Allows a user to shut down the local computer. n/a n/a
SeDebugPrivilege Debug programs Allows the user to attach a debugger to any process. Manipulate processes Incognito, debugger
SeAuditPrivilege Generate security audits Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access and other security relevant activities. ? ?
SeSystemEnvironmentPrivilege Modify firmware environment values Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet. Change where things get run from, brick the system Bricks Samsung laptops
SeChangeNotifyPrivilege Bypass traverse checking Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft Windows file system or in the Registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. ? ?
SeRemoteShutdownPrivilege Force shutdown from a remote system Allows a user to shut down a computer from a remote location on the network. n/a n/a
SeUndockPrivilege Remove computer from docking station Allows a user of a portable computer to unlock the computer by clicking Eject PC on the Start menu. n/a n/a
SeSyncAgentPrivilege Synchronize directory service data Allows a service to provide directory synchronization services. This privilege is relevant only on Domain Controllers. Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. ? ?
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flag on the object. ? ?
SeManageVolumePrivilege Perform volume maintenance tasks This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. ? ?
SeImpersonatePrivilege Impersonate a client after authentication Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user’s permissions to administrative or system levels. Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an or classic ASP web application then you can own Windows too. If you provide shared hosting services then it is recommended that users are not permitted to run this kind of code from ASP. Churrasco, Incognito
SeCreateGlobalPrivilege Create global objects This user right is required for a user account to create global objects during Terminal Services sessions. Users can still create session-specific objects without being assigned this user right. ? ?
SeCreateSymbolicLinkPrivilege (Vista+) Create symbolic links This privilege is required to create a symbolic link. There have been a number of vulnerabilities which are exploitable through the manipulation of system objects such as files and registry keys using symbolic links. Notably, this included MS10-021, ?
SeIncreaseWorkingSetPrivilege (Vista+) Increase a process working set This user right allows a user to allocate more memory for applications that run in the context of users. ? ?
SeRelabelPrivilege (Vista+) Modify an object label This privilege is required by users to modify the mandatory integrity level of an object. ? ?
SeTimeZonePrivilege (Vista+) Change the time zone This user right is required to allow the user to change the timezone. ? ?
SeTrustedCredManAccessPrivilege (Vista+) Access Credential Manager as a trusted caller This privilege is required to access Credential Manager as a trusted caller.. ? ?

As you can see, where I am aware of a technique and or tool that enables the practical exploitation of a privilege, the table includes this information. It would of course be awesome to have tools to exploit them all, so if you’re aware of any omissions, or you fancy filling a gap feel free to let us know. Hopefully we’ll see some examples from our Team in due course.

Note: Whilst side channel and/or denial-of-service attacks are a potential avenue with some of these privileges, I haven’t as yet found any particularly useful examples.

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)