April 5th, 2010

When people ask for security holes as features: Non-administrators reading other users' stuff

Via the suggestion box, Aaron Lerch asks whether a non-administrator can retrieve/evaluate environment variables as they would appear for another user. This falls into the category of asking for a security hole as a feature, specifically an information disclosure security hole, because you are extracting information from a user’s private data which has security access controls that do not grant everybody access. Generally speaking, users have full access to their data, as does the operating system itself, but nobody else. Administrators can get access to the data by taking ownership and modifying the ACL or using security overrides like Se­Debug­Privilege, but that’s the general idea. And certainly, unprivileged users don’t have access to the data from other unprivileged users.

The way to get a user’s initial environment variables is to call the Create­Environment­Block function, passing the token of the user you are interested in. Note that it’s more than just scraping the registry, because you also have to take into account group policy objects and the possibility that the information in the registry is incorrect because it is a stale cached roaming profile.

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.