I’ve got the power - enabling SeBackupPrivilege to make cmd.exe run on steroids
Let’s start from the beginning, trying to keep it as simple as possible: objects (in this case folders and files) may have their Access Control Lists (ACL) to determine who has an access to the data. Processes have their tokens specifying who they are and what superpowers (privileges) they have in the Windows OS.
Under normal conditions, groups from the token are matched with ACL to determine if some operation (read, write, delete, etc.) is allowed or not. If you have the folder with only GroupX on its ACL and the process token says it belongs only to the GroupY, you are not allowed to perform your action. The scenario may be somewhat complex in practice as other factors such as inherited permissions, deny permissions, multiple group membership and so on exists in real environments. The fun begins when you have no permission to perform the intended action. Of course, you can try to take ownership and/or change permissions to grant yourself required rights. This is quite simple but at the same time, invasive as it modifies the environment.
By default, the token is crafted when the user logs on and then his processes inherit it from the parent process. To make it even more complex, two tokens are usually used: limited one for regular work, and the more powerful one, used for elevation with UAC.
And here superpowers appear within your OS. The token contains not only groups information but also privileges assigned. You can easily view them with “whoami /priv” command.
For privileges, two things are important:
- If you have it in your token (the real protection effectively granting and revoking some rights),
- If you have it enabled or not (more like safety against accidental usage, you can enable or disable any moment).
Here comes a simple example. As you can probably see, you have the SeShutdownPrivilege in your token. The privilege is disabled. If you run shutdown.exe, the token is inherited, including the disabled SeShutdownPrivilege, then the shutdown.exe utility enables the privilege and then shuts down the OS. Performing shutdown without privilege enabled is not allowed. Enabling it is very simple (with AdjustTokenPrivileges API function), but if you have it not on your list, you can do nothing.
The full list of privileges can be seen on Microsoft Docs: https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
Let’s focus on two of them: SeBackupPrivilege and SeRestorePrivilege. Their superpower is: read and write files even if you do not have such right specified on the Access Control List. The read and/or write operations should be performed special way, but the good news is that the huge part of OS tools is trying to use such way without telling you explicitly.
The question is “why cmd.exe cannot read the folder without permissions if it tries the right way?”
And the answer is surprisingly simple: because it does not enable the appropriate privilege first! Even if it could…
It would be so simple to add such feature, but the idea is to keep you off places you are not allowed to enter due to ACLs.
And here comes the trick: enabling some privilege may be performed not only on the own token of the process. You can reach for another process, access the token and manipulate it. Enabling and disabling privileges as needed. So here comes the plan:
- Find the PID of a process to manipulate,
- Reach for his token,
- Enable SeBackupPrivilege and SeRestorePrivilege within the token.
Voila! The magic happens as the manipulated process no longer cares about permissions in the filesystem.
To make it even simpler, it makes sense to run the manipulating tool from the cmd.exe and make it change the token of the parent process (which obviously is cmd.exe). As written before, new processes inherit a token from parent, effectively making cmd.exe perfect place to launch new processes inheriting superpowers of ignoring ACLs. Have fun!
And the source code and the compiled tool if you dare to try: https://github.com/gtworek/PSBits/tree/master/EnableAllParentPrivileges