[Security Vulurability]通过Process.Start（）直接调用regedit [英] [Security Vulurability] direct invocation of regedit via Process.Start()

问题描述

我偶然发现了绕过UAC的可能方法，这似乎很麻烦。



通常在程序上将值插入注册表的某些部分需要UAC Elevation在目标计算机上具有管理权限的用户。对吗？



话虽如此，我能做到吗？以下代码适用于Windows 8 AS-IS上的.NET 4.5。

I've stumbled accross a possible way to bypass UAC which seems kind of troublesome.

Normally inserting values into certain portions of the registry programmaticly requires UAC Elevation to a user with administrative priveledges on the target machine. Right?

That being said, should I be able to do this? The following code works under NET 4.5 on Windows 8 AS-IS.

<br />
 <pre lang="cs">public void DisableTaskManager()<br />
        {<br />
            try<br />
            {<br />
                if (File.Exists("DisableTaskManager.reg"))<br />
                {<br />
                    File.Delete("DisableTaskManager.reg");<br />
                }<br />
                using (FileStream registryFileStream = File.Create("DisableTaskManager.reg"))<br />
                {<br />
                    Byte[] registryFileContents = new UTF8Encoding(true).GetBytes(Properties.Resources.DisableTaskManager);<br />
                    registryFileStream.Write(registryFileContents, 0, registryFileContents.Length);<br />
                    registryFileStream.Close();<br />
                }<br />
            }<br />
            catch (Exception Ex)<br />
            {<br />
                MessageBox.Show(Ex.ToString());<br />
            }<br />
            try<br />
            {<br />
                ProcessStartInfo startInfo = new ProcessStartInfo();<br />
                startInfo.FileName = "regedit";<br />
                startInfo.Arguments = "/s DisableTaskManager.reg";<br />
                Process.Start(startInfo);<br />
            }<br />
            catch (Exception Ex)<br />
            {<br />
                MessageBox.Show(Ex.ToString());<br />
            }<br />
        }</pre><br />
<br />
Is this something I'm missing, or is this another gross example of Microsoft security negligence?

推荐答案

我不这么认为。从Vista开始，合理设置，我认为，只有在Windows 7中，UAC才不会被绕过。我的意思是，只有在用户明确许可的情况下，才能绕过UAC。特别是，整个系统可以禁用整个UAC检查，然后系统真的变得容易受到攻击，但如果您尝试自动执行，则程序无法绕过与用户的显式UAC检查。它将抛出一个权限异常，或者，如果您将应用程序写为作为管理员，则将授予该权限。



（您可能知道正在登录具有管理员权限的Windows是不够的，您必须使用提升的权限运行每个应用程序。请参阅：

http://4sysops.com/archives/vista%E2%80%99s- uac-8-ways-how-to-upgrade-an-to-run-it-with-administrator-rights / [ ^ ]，

http://www.sevenforums.com/tutorials/ 11841-run-administrator.html [ ^ ]。）



应用程序最初可以做的唯一事情是请求提升权限一开始，从而使用户免于选择上述以管理员身份运行选项的麻烦仪式。要对您的应用程序执行此操作，您可以使用所需的UAC版本创建和嵌入适当的应用程序清单。这很简单，在这里描述：

http://msdn.microsoft .com / zh-CN / library / bb756929.aspx [ ^ ]。



如果您的应用程序每次使用时都可以执行类似注册表访问的操作，或者定期执行此操作，这是这样做非常合理。当然，如果你想使用 Process.Start （我不建议这样做，最好使用Registry API或你可以采取的任何措施来避免启动子进程），您的子进程也将继承已提升的权限。但是，它不会绕过任何UAC检查。这意味着在调用任何需要提升访问权限的API之前，将保证向用户呈现UAC对话请求。如果用户同意，则应用程序继续提升特权，否则，整个过程将被安全终止。当然，这比你的应用程序运行时出现安全异常要好得多。



我没有提到XP兼容模式这样的东西，只是不要我不想在这里讨论它。当然，这会使系统容易受到攻击。我希望这些垃圾会随着时间的推移而停止运作，并最终会被逐步淘汰。对于应用程序开发来说，过于不关心安全性的做法太过邋。了。同时，使应用程序远离安全敏感操作或以其他方式请求适当的权限太简单了，因此忽略正确的安全实践不应该是可讨论的选项。







我只是试图在Windows 7上重现它。行为是正确的：它确实通过UAC对话请求我的确认。您的操作系统有问题。你确定你没有降低系统安全设置吗？



如果你认为错误的部分是Windows 8，我不知道。我不打算试用Windows 8，因为我不认为它是一个严重的操作系统，其他一些不相关的原因。如果你坚信默认情况下安装Windows 8，而不是在系统范围的设置中禁用UAC，那么它将是另一个反对使用它的论据。



毕竟，我尝试了Vista，但即使在噩梦中，我也无法想象在实际工作中使用它。 :-)







关于上述测试的更多细节：



Windows 7在小程序选择接收有关计算机更改的通知下有以下选项。它有4个选项：

I don't think so. Starting from Vista, and reasonably set up, I think, only in Windows 7, UAC is not to be bypassed. I mean, you can bypass UAC only if the user gives an explicit permission. In particular, the whole UAC check can be disabled for a whole system, and then the system really becomes vulnerable, but if you try to do it automatically, your program cannot bypass the explicit UAC check with the user. It will either throw a permission exception, or, if you write the application "As administrator", the permission will be granted.

(You probably know that being logged on Windows with Administrator privilege is not enough, you have to run each application with elevated privileges. Please see:
http://4sysops.com/archives/vista%E2%80%99s-uac-8-ways-how-to-elevate-an-application-to-run-it-with-administrator-rights/[^],
http://www.sevenforums.com/tutorials/11841-run-administrator.html[^].)

The only thing application can initially do, is to request for elevated privileges from the very beginning, thus saving a user from a troublesome ceremony of choosing this "Run as Administrator" option described above. To do this to your application, you can create and embed appropriate application manifest with required UAC version. This is simple enough and is described here:
http://msdn.microsoft.com/en-us/library/bb756929.aspx[^].

If your application can do something like registry access every time you use it, or on a regular basis, this is a very reasonable thing to do so. And of course, if you want to use Process.Start (which I don't recommend, it's better to use Registry API or anything you can do to avoid starting a child process), your child process will also inherit already elevated privileges. However, it won't bypass any UAC check. It means the request for UAC dialog will be guaranteed to be presented to the user before any APIs requiring elevated access are called. If the user agrees, the application proceeds with elevated privileged, if not, the whole process will be safely terminated. Of course, this is much better than having a security exceptions when your application is already running.

I did not mention such thing as "XP compatibility mode", just don't want to discuss it here. Of course it would make the system vulnerable. I hope this trash will go out of practice with time and will eventually be phased out. For application development, it's too sloppy to keep to the obsolete "don't care about security" practice. At the same time, keeping the application away from security-sensitive actions or otherwise request for proper permissions is way too easy, so ignoring correct safety practices should not be a discussable option.



I just tried to reproduce it on Windows 7. The behavior was correct: it does request my confirmation with UAC dialog. Something is wrong with your OS. Are you sure you did not lower down system security settings?

If you think the wrong part is having Windows 8, I don't know. I'm not going to try out Windows 8, because I don't consider it as a serious OS, by some other, unrelated reasons. If you firmly maintain that it happens to Windows 8 installed by default, without disabling the UAC in system-wide settings, it will be yet another argument against ever using it.

After all, I tried out Vista, but even in nightmare I could not imagine using it in real work. :-)



More detail on the test described above:

Windows 7 has the following options under the applet "Choose to be notified about changes to your computer". It has 4 options:

1. 总是在......时通知我。
2. 默认 - 仅在程序尝试更改计算机时通知我
   
   当我更改Windows设置时，请勿通知我。
3. [与上面相同添加不要使我的桌面变暗]
4. 从不通知我...

我尝试了＃1和＃2（默认）。在这两种情况下，UAC对话都要求我。通常，我个人使用选项＃1始终通知...。



您确定在Windows 8上使用相同或同等级别的UAC通知吗？

-SA

这篇关于[Security Vulurability]通过Process.Start（）直接调用regedit的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！