Dangers of Windows API and Administrator accounts?_问答_开发者

I wrote a game server plugin last night that allowed me to create a user account and set it as administrator, which is a huge problem. Of course the simple fix is to create a basic user account with limited privileges for the game servers, so they would not have access to do things like this.

I wanted to find out if there's anything else in the Windows API that would create such a huge vulnerability though? I guess I want to just make sure that when the client's game servers accounts are moved to limited access accounts, we won't have to worry about any of them using the windows API to sabotage the machines. There is already enough exploits in the game itself to worry about, without having to worry about cli开发者_如何学编程ent's taking over the machines with plugins lol.

Some of the questions relative would be... Can you disable/enable Remote Desktop from c++? Can you get a list of AD user groups from c++? (not that a user belongs to, but a complete list)

I wrote a game server plugin last night that allowed me to create a user account and set it as administrator, which is a huge problem.

No, it's not. That's what running as an administrative account means: administrative permissions! If you don't want that to happen, don't run as an administrative user.

IMO, however, it seems quite unusual and bizarre that your game server allows plugins which subsequently are permitted to access local Windows API functions. That is quite unorthodox and would itself be considered a security vulnerability. Is there any particular reason for that? Why not just restrict access solely to whatever your game's library functions are instead of opening things wide?

Can you disable/enable Remote Desktop from c++?

Yes. Once you're an administrator, you probably have shell access, so it's trivial to execute netsh firewall set service remotedesktop enable as a process, for example.

Normally if you want to restrict access to what a plugin in a server can do, you wouldn't use allow the plugins to be written in C++, you'd use a scripting language.

For C++ code, you should worry about more than just the Windows APIs that can be called - if you are letting plugin code, written in C++ by someone you don't trust, be run in the same process as your game server, that plugin code could trivially crash your game server, and perform any file access that the account the game server is running under is allowed to perform (possibly including modifying or deleting game data files).

A more typical solution is to have plugins written in a scripting language which only provides access to perform actions you want the plugin to be able to perform and certainly doesn't allow pointer operations that could allow a plugin to access things you don't expect it to.

Now that I understand you can't control what the game server software does (I am aware that various game developers aren't too concerned with the practical aspects of people hosting game servers):

Microsoft would certainly try to avoid having APIs in Windows that allowed limited user accounts to do Administrator-type things. In my experience, most Administrator-type changes require you to either (a) be a member of the Administrators group or (b) be a member of some group configured via the Local Security Policy or Group Policy to be allowed to make those changes. You should therefore be able to use ACLs to limit access to files and policies to essentially limit access to APIs. Generally when there is some way to use an API to get access you're not meant to have, that is normally considered a security bug that Microsoft will fix - see all the web search matches for "windows local privilege escalation".

Whether a server plugin can create an account with Administrative privileges is actually not determined by your choice of language (C and C++ behave exactly the same) but whether the server process itself is already running with Administrator right. If the server process is running as a normal user, it can't can create Administrator accounts, and therefore none of its plugins can.

This is to say, it's not Valve or another game server author who's responsible for such problems, but the person who set up the server.