Modifiable Services false positives for explicit AccessDenied DACLs

Question

Modifiable Services false positives for explicit AccessDenied DACLs

e0x70i opened this issue 6 years ago · comments

epi commented 6 years ago

Noticed false positives for a number of services, for example most McAfee services.

Checked the ACL and it turns out they have an explicit access denied for the authenticated users SID.

This can probably be fixed by checking the ACE type.

Some jank debug shows the access control type is "AccessDenied" for the false positive sid.

Console.WriteLine("DACL for SID: " + ace.SecurityIdentifier);
                               Console.WriteLine(ace.AccessMask);
                               Console.WriteLine(ace.AceType);

Ace types: https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.acetype?view=netframework-4.7.2

Clément Notin · Answer 1 · Thu Mar 14 2019 02:50:36 GMT+0800 (China Standard Time)

Fixed by #15 ;)