Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with NtCreateToken()

243 views
Skip to first unread message

Andrew Borodin

unread,
Feb 13, 2001, 5:40:22 AM2/13/01
to
I have a problem which may be described as following. I've got a service
running on a server under the LocalSystem account. Users can make a request
to perform some action in response to some event which will occur sometime
in a future. I want this action to run with permissions of the user who
made the request. All I have is the SID of this user. It's possible to check
the access rights manually via the calls to GetEffectiveRightsFromAcl() but
I want to obtain his token and impersonate some thread to perfom the action.

I found the undocumented function NtCreateToken() in ntdll.dll which expects
52 bytes on a stack as a parameters and I guess the syntax is:
/* from NtSecPkg.h */
typedef NTSTATUS
(NTAPI LSA_CREATE_TOKEN) (
IN PLUID LogonId,
IN PTOKEN_SOURCE TokenSource,
IN SECURITY_LOGON_TYPE LogonType,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
IN PVOID TokenInformation,
IN PTOKEN_GROUPS TokenGroups,
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING AuthorityName,
IN PUNICODE_STRING Workstation,
IN PUNICODE_STRING ProfilePath,
OUT PHANDLE Token,
OUT PNTSTATUS SubStatus
);

So I filled all the structures needed and called NtCreateToken(). It
returned ERR_NOACCESS (Invalid access to memory location). I think the
structures must be allocated in a special way but I don't know how.

Could you help me with this?

Thanks in advance,
Andrew Borodin.

Stronin Sergey

unread,
Feb 13, 2001, 11:01:17 AM2/13/01
to
Loooks like you cannot use this declaration (from NtSecPkg.h, LSA API) for
native API call. I have reengineered declaration of NtCreateToken on kernel
side:

NTSTATUS CSecurityMonitor::NtCreateToken(
PHANDLE phToken,
ULONG uParam2,
PSECURITY_QUALITY_OF_SERVICE pQos,
TOKEN_TYPE Type,
PLUID pLuid1,
PLUID pLuid2,
PTOKEN_USER pUser,
PTOKEN_GROUPS pGroups,
PTOKEN_PRIVILEGES pPrivileges,
PTOKEN_PRIMARY_GROUP pGroup,
PTOKEN_OWNER pOwner,
PTOKEN_DEFAULT_DACL pDefDacl,
PTOKEN_SOURCE pSource)

Unfortunately, I have no idea about uParam2 yet, pLuid1 & pLuid2 is also in
doubt.
However, i have no doubt in pGroups, which have different position in you
list.

WBR, SVS.
s...@infosec.ru

P.S. You question awaked me now. If some prog, system service or not, can
create user token without having user credentials, there is security &
auditing flaw ... interesting ;)

Andrew Borodin wrote in message ...

Alex Fedotov

unread,
Feb 14, 2001, 1:19:48 AM2/14/01
to
Stronin Sergey <s...@infosec.ru> wrote:

> P.S. You question awaked me now. If some prog, system service or not, can
> create user token without having user credentials, there is security &
> auditing flaw ... interesting ;)

It is not a flaw. NtCreateToken as well as LsaLogonUser, which can add
arbitrary
SIDs to the token, both require TCB privilege.

--
Alex Fedotov,
3Cube, Inc.
www.3cube.com


0 new messages