parkovski / wsudo Goto Github PK

View Code? Open in Web Editor NEW

80.0 7.0 4.0 1003 KB

Proof of concept sudo for Windows

License: GNU General Public License v3.0

CMake 3.52% C++ 96.48%

sudo windows elevation uac-bypass token-management command-line windows-authentication windows-api

wsudo's Introduction

`wsudo`: Proof of concept sudo for Windows

⚠ Not production ready!

This project is in the very early stages. It may have bugs and security holes. Use at your own risk!

What does it look like?

A terminal. Or two terminals currently. See this short demo.

How to build/run?

Currently the only dependencies are spdlog, fmt, and the Windows SDK. I use vcpkg to install these. The project builds with CMake - I use the Ninja generator but the VS one is probably fine. After making sure your spdlog and fmt work, do:

...\wsudo> mkdir build
...\wsudo> cd build
...\wsudo> cmake -G Ninja ..
...\wsudo> cmake --build .

This will produce two binaries in bin\Debug. To try it, start TokenServer.exe in an admin console; then in a separate unelevated console run wsudo.exe <program> <args>. Currently you need to provide the full path to the program. It will ask for your password, but this is not yet implemented so the password is always password. To see the difference in elevation status, try wsudo.exe C:\Windows\System32\whoami.exe /groups and look for the Mandatory Label section.

What makes this one different?

It uses a token server, which can be run as a system service, to remotely reassign the primary token for an interactive process. A process you create with the wsudo.exe command inherits the environment as if you just called the target command itself, but it starts elevated with no UAC involvement.

How?

There are three ways to create an elevated process:

Request elevation with UAC.
Be an executable signed by the Windows Publisher.
Be an elevated process.

The system will automatically start services elevated, but they have their own environment, which is not very useful for command line purposes. However, there's a trick - you can start a regular restricted process suspended in your own session and notify the service, which uses NtSetInformationProcess to change the remote process token to an elevated one before it starts.

I originally created a remote process in the service, but setting up the environment is tricky and requires digging through undocumented parts of the PEB. With this method, the system sets up all the inheritance correctly, and we only need one undocumented call to elevate the process.

It may be possible to achieve this without any undocumented APIs by creating the process in the server and using PROC_THREAD_ATTRIBUTE_PARENT_PROCESS.

What features are missing?

Most of them. Here are the big ones:

Create a token for the client user instead of just duplicating the server's token.
Cache the users' tokens for a while after a successful authentication (note: should be per-session).
Implement Windows service functionality for the server.
Create some type of "sudoers" config file or registry key and enforce permissions.
Improve the client's command line handling - shouldn't have to type the full path to an exe.
Improve error handling and write tests.

Other ideas

Options to set user and privileges.
PowerShell wrapper cmdlets.
Integration with WSL sudo.
COM elevation.
Session selection.

Additional resources

OpenSSH's usage of LSA

wsudo's People

Contributors

Stargazers

Watchers

Forkers

dbdata sysadminworld gh0st0ne 5l1v3r1

wsudo's Issues

Use the user's token instead of the server's

LogonUserEx generates a token for the user, but it is probably restricted. We need to generate an elevated token from it instead of just duplicating the server's token.

Can't launch programs requiring elevation in their manifest

Setting __COMPAT_LAYER=RunAsInvoker solves this, but is it actually supported? Also see RtlQueryElevationFlags.

This is also interesting

Implement sessions

Like sudo, after authenticating the password shouldn't be required for a while.

Sessions should be indexed by the user's SID and session - if LOCALDOMAIN\alice is authenticated in the physical machine session, this should not automatically grant access to her login via remote desktop or ssh (or should it?).
Sessions should expire when the machine sleeps.
The client should check for an active session before prompting for credentials.

WSL integration

Being able to elevate a WSL session as root and a Windows session with an admin token at the same time would be very convenient.

Configuration (sudoers or registry equivalent)

What format should be used? JSON, sudoers, registry, other?
Strict permissions need to be enforced here.
How should it be edited? Actually allow editing, or just provide client commands (wsudo --config ...)?
What overlap is there between sudoers and wsudo config? Which Windows-specific features should be supported?

License

Hi @parkovski.
I've read the readme and it looks trully impresive.
I thought it was impossible to overwrite the token of a another process.
I wonder If I could grab some ideas and incorporate them into gsudo.
The problem is that gsudo is MIT license and wsudo is GPL-3.0.
Could you please authorize me to read your code, transform the token overwritting logic into gsudo (C#) and release under MIT?
I would add your name (is it Parker Snell?) as part of the license file.

Thanks, and great work!