Today in a FaceBook group I'm a member of, someone made a post about a
remarkable result obtained from ChatGPT. I decided I would check it out,
using a problem that I struggled with for two months, then gave up an
implemented a less than optimal solution that fixed the problem but was not
exactly secure.
The problem in question was the problem caused when the rexxapi daemon gpt
created by a process with elevated privledges, which prevented processes
with non-elevated privledges from connecting to the rexxapi daemon via the
named pipe. I struggled for several months trying figure out the Windows
documenation for the security APIs and a lot of time in StackOverflow
trying to find some examples I could adapt. I came up empty and ended up
creating the pipe with no security restrictions.
So, today I asked ChatGPT how to create a named pipe that only users of the
same process could connect to. It immediately gave me a program that
created the named pipe using the same code we were using at first that had
the elevated permissions issues. Not what I was looking for, but impressive
nontheless.
I told ChatGPT has issues communicating between processes with elevated
permissions. It agreed with me and produced a new program that I *think*
might be exactly what is needed to close the security hole. I was truly
amazed!
I don't know if I'm interested in fixing this myself, nor if I'll have the
time. However, I want to post the code suggested by ChatGPT in case anyone
else wants to adapt it to rexxapi communcations.
Rick
#include <windows.h>#include <sddl.h>
int main(){
HANDLE hPipe;
SECURITY_ATTRIBUTES sa;
PSECURITY_DESCRIPTOR pSD;
PACL pACL;
HANDLE hToken;
DWORD dwSize;
TOKEN_USER *pUser;
PSID pSid;
SID_NAME_USE eUse;
WCHAR szUser[256];
DWORD cchUser = sizeof(szUser) / sizeof(WCHAR);
WCHAR szDomain[256];
DWORD cchDomain = sizeof(szDomain) / sizeof(WCHAR);
// Open the access token associated with the current process.
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
return GetLastError();
// Retrieve the size of the user SID.
if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize))
{
DWORD dwError = GetLastError();
if (dwError != ERROR_INSUFFICIENT_BUFFER)
return dwError;
}
// Allocate memory for the user SID.
pUser = (TOKEN_USER *)malloc(dwSize);
if (pUser == NULL)
return ERROR_OUTOFMEMORY;
// Retrieve the user SID.
if (!GetTokenInformation(hToken, TokenUser, pUser, dwSize, &dwSize))
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
// Obtain the user name and domain name
if (!LookupAccountSid(NULL, pUser->User.Sid, szUser, &cchUser,
szDomain, &cchDomain, &eUse))
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
// Create a new DACL.
if (!InitializeAcl(&pACL, sizeof(ACL), ACL_REVISION))
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
// Add an ACE to the DACL.
if (!AddAccessAllowedAce(pACL, ACL_REVISION, FILE_GENERIC_READ |
FILE_GENERIC_WRITE, pUser->User.Sid))
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
// Initialize a security descriptor.
if (!InitializeSecurityDescriptor(&pSD, SECURITY_DESCRIPTOR_REVISION))
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
// Set the DACL in the security descriptor.
if (!SetSecurityDescriptorDacl(&pSD, TRUE, pACL, FALSE))
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
// Initialize a security attributes structure.
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = &pSD;
sa.bInheritHandle = TRUE;
// Create the named pipe.
hPipe = CreateNamedPipe(
L"\\\\.\\pipe\\MyPipe",
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
0,
0,
0,
&sa);
if (hPipe == INVALID_HANDLE_VALUE)
{
DWORD dwError = GetLastError();
free(pUser);
return dwError;
}
else
{
free(pUser);
return 0;
}}
_______________________________________________
Oorexx-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/oorexx-devel
