March 14th, 2008

If you grant somebody SeDebugPrivilege, you gave away the farm

By default, users can debug only processes that they own. In order to debug processes owned by other users, you have to possess the SeDebugPrivilege privilege. But don’t grant this privilege casually, because once you do, you gave away the farm. If you let users debug processes owned by other users, then they can debug processes owned by System, at which point they can inject code into the process and perform the logical equivalent of net localgroup administrators anybody /add, thereby elevating themselves (or anybody else) to administrator. If SeDebugPrivilege is equivalent to granting administrator privileges, why does it exist at all? It’s not so much to protect the system as it is to protect the user. It’s like the safety cover over the emergency power-off button. The purpose is merely to prevent you from pushing the button by mistake. If you’re a developer debugging a service, you can turn on SeDebugPrivilege so you can debug the service, without turning on all the other administrative privileges. That way, you can’t accidentally delete a critical file, for example.

The security investigations team have to deal with people who fail to understand that SeDebugPrivilege is (from a security perspective) equivalent to administrator. In one case, the finder contacted not the Microsoft Security Response Center but rather sent their “exploit” to high-level executives, who then had to transfer the issue to MSRC. And when informed of the misunderstanding, the finder just responded with a one-page rambling manifesto. As much as you are tempted to “just ignore the crazy guy”, every reported security vulnerability must still be taken seriously. There might be something in there buried inside all the craziness. After all, they said Galileo was crazy.

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.