none
httplistener access denied permanently fixed and created a hole in Windows securtiy RRS feed

  • Question

  • When I use HttpListener in a C# application on a Windows 10 workstation I get "Access is denied". (The same application on Windows 7 works fine.) So, in order to grant access on Window 10, I ran the following command.

    netsh http add urlacl url=http://W10-BOX:8888/cmd user=W10-BOX\myusername

    This fixes the probelm.

    Then, I deleted the URLACL and verified it was gone with the following commands

    netsh http delete urlacl url=//W10-BOX:8888/cmd

    netsh http show urlacl

    Then, I ran my application again, expecting to get the "Access is denied" error. However, the application worked. Not only that. The application now works (can listen on) any open port. And it works for any user.

    Did I just create a hole in Windows Firewall? BTW, the firewall is running but it is disabled.





    • Edited by JonasBox3 Tuesday, April 16, 2019 3:36 PM
    Tuesday, April 16, 2019 3:22 PM

Answers

  • Hi JonasBox3,

    So you use the following command to achieve the goal and find out that the “Hole” exists. Is it?

    netsh http add urlacl url=http://+:15100/ user=administrator
    netsh http delete urlacl url=http://+:15100/
    netsh http show urlacl |findstr "15100"

    Did you try it with another account? or another computer. I suspect there is something wrong with your OS.
    Regards
    Abraham

    • Marked as answer by JonasBox3 Wednesday, April 24, 2019 2:25 PM
    Monday, April 22, 2019 2:42 AM
    Moderator
  • I tried the same set of commands on another win10 box and they work as advertised. So, as you suggested, there must be something amiss with the fir st win10 box. Thank you for your help!

    Jonas

    Tuesday, April 23, 2019 3:43 PM

All replies

  • Hi JonasBox3,
    Http addresses are managed by a core driver called http.sys. When we want http.sys to make a request, we need to register the http namespace, which is an operation that requires privileges (administrator privileges).
    Based on your issue, I try to reproduce your issue, while it works as we expected, the project could not register the http address when the URL ACL is removed. I use the wcf service to register the http address, like the following formed.
    netsh http add urlacl url=http://+:15100/ user=administrator
    netsh http delete urlacl url=http://+:15100/
    netsh http show urlacl |findstr "15100"


    I restart the project and it prompts that I could not register the HTTP address.
    Another factor we may need to consider is the current account for running the program. It could not be the administrator, who is able to register the http address. I suggest you check the following documents to see if there is any problem.
    https://docs.microsoft.com/en-us/windows/desktop/http/add-urlacl
    Feel free to let me know if there is anything I can help with.
    Best Regards
    Abraham
    Wednesday, April 17, 2019 2:37 AM
    Moderator
  • Abraham,

    Thank you for confirming that adding and deleting the urlacl works on your system. I'm still baffled why it does not work on mine as expected. I'm logged in as a local admin user. If there is no urlacl for my user or group to listen on port 8888, how could that be possible that my application can now? Moreover, originally, as expected, it was not possible.

    My C# command-line application is very bare:

    HttpListener listener = new HttpListener();

    listener.Prefixes.Add("http://+:8888/");

    The second line used to throw "Access is denied". There must be something else that is allowing this code to run without throwing the exception. In other words, how would I get my system to behave as it used to, where users are not permitted to listen on open ports?

    Jonas



    • Edited by JonasBox3 Wednesday, April 17, 2019 3:29 PM
    Wednesday, April 17, 2019 3:12 PM
  • Hi
    That’s right, as we discussed, one way is running the program with an administrator account.
    On my side, even though I didn’t execute the ADD URLACL command, the program works well as long as I run the program with administrator privilege.
    The other solution is run the CMD shell with administrator privilege and use
    netsh http add urlacl url=http://+:8888/ user=test

    Best Regards
    Abraham
    Thursday, April 18, 2019 2:19 AM
    Moderator
  • I am running with a local admin account. So, I see two inconsistencies with what I am experiencing compared to what you just wrote.

    1. Logged in as a local admin, I was getting "Access is denied". If one solution is to use a local admin account, then that is not working for me. Why?

    2. While still logged in a s a local admin, I ran "netsh http add urlacl url=//+:8888/ user=myadminaccount". This fixed the "Access is denied". After I deleted the urlcacl, I expected to get the "Access is denied" error again. However, I no longer get this error even though the urlacl no longer exists. Why?

    Thursday, April 18, 2019 3:02 PM
  • Hi, JonasBox3,
    Sorry for I might misunderstand your meaning. Is it possible that there is something wrong with your OS, runtime environment? Can you test it with a simple console program?
      static void Main(string[] args)
            {
                HttpListener listener = new HttpListener();
                listener.Prefixes.Add("http://+:8888/");
                listener.Start();
            }


    https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=netframework-4.8
    One thing I want to clarify what do you mean by logging in as a local admin. In my opinion, there is a difference between logged in as an admin and running program with administrator privilege.
     https://i.stack.imgur.com/RZRrS.png
    As the above image displayed, though I logged in as an admin account, it uses ordinary permission to perform program. I need to Run as administrator explicitly.
    Besides, I test whether the UrlAcl deletion takes effect by closing and recompiling, running program. 
    Best Regards
    Abraham
    Friday, April 19, 2019 3:26 AM
    Moderator
  • Hi,

    Your sample program works when I compile and run. I am logged in as a local user in the Administrators group. My goal is to run your sample program logged in this way but without clicking "Run as administrator". 

    Jonas

    Friday, April 19, 2019 2:01 PM
  • Hi JonasBox3,

    So you use the following command to achieve the goal and find out that the “Hole” exists. Is it?

    netsh http add urlacl url=http://+:15100/ user=administrator
    netsh http delete urlacl url=http://+:15100/
    netsh http show urlacl |findstr "15100"

    Did you try it with another account? or another computer. I suspect there is something wrong with your OS.
    Regards
    Abraham

    • Marked as answer by JonasBox3 Wednesday, April 24, 2019 2:25 PM
    Monday, April 22, 2019 2:42 AM
    Moderator
  • I tried the same set of commands on another win10 box and they work as advertised. So, as you suggested, there must be something amiss with the fir st win10 box. Thank you for your help!

    Jonas

    Tuesday, April 23, 2019 3:43 PM