HttpListener and non-Admin

by Dominick Baier

Related link: http://www.leastprivilege.com/HttpCfgACLHelper.aspx



Windows 2003 and XP SP2 include HTTP.SYS. This is a kernel mode http listener that is e.g. used by IIS6. A nice thing with http.sys is, that it enables port sharing. That means you can have several processes on your system listen e.g. on port 80. If you want to host a http listener in your own application, you use the http API to register a URI namespace with http.sys, e.g. 'http://*:80/MyApp/' registers for receiving all incoming requests to that URI. The new HttpListener class which will be included in .NET 2.0 is a nice managed wrapper for that functionality.


This can enable all kinds of interesting scenarios, e.g. embedding lightweight web servers in applications or hosting a web service or ASMX endpoint (like Aaron described in his article on MSDN here). Indigo uses HttpListener for ServiceHost<T> e.g.


One security feature of http.sys that most developers are not aware of is, that only users with administrative privileges can register arbitrary namespaces (sorry, of course i know that YOU are not running as admin, but most of the others do :)). This is by design. Otherwise it would be very easy for malware to 'hide' behind already opened ports.


If you want to enable HttpListener in applications which will be run by normal users, you have to reserve and ACL a namespace during deployment of the application. A tool called 'httpcfg.exe' can be used for this (included in the support tools for Server 2003 or for download for XP here).


The problem is, there is no managed API for reserving namespaces, but this would be indeed very useful for setup programs. The command line tool version is not very user friendly too, e.g. you have to set the ACL as a SDDL string, and i guess not everybody is fluent in that. A example (sets a GENERIC_EXECUTE on a URI for a user account):


httpcfg set urlacl /u http://*:8080/MyEndPoint/ /a D:(A;;GX;;;S-1-5-21-1144070942-1563683482-3278297161-1114)


I wrote a little tool where you can select user accounts, groups and well known SIDs (I currently don't support well known SIDs that need a domain SID). The tools spits out the right httpcfg syntax for your selection as well as copies the SDDL string to the clipboard.


Make httpcfg your friend. There is no excuse to run with elevated privileges!


HttpCfgAcl.zip (24.19 KB)