This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: handle protection - please comment


Hi!

Wednesday, 18 April, 2001 Corinna Vinschen vinschen@redhat.com wrote:

>> the problem is that if i (process B) have handle of process with only
>> PROCESS_DUP_HANDLE access, and process A have at least one private
>> handle of itself with full access, i can elevate my privileges
>> using the code quoted above. for cygwin programs the second thing is
>> true -- every process has hMainProcess handle of itself. It won't give
>> it to me, sure, but i can just try to guess it. i'll start duplicating
>> all values 0x4,0x8,0xc,0x10,... (remember, i can duplicate handles
>> from process  A), and sooner or later i'll find hMainProcess. voila,
>> process B have all access to process' A address space.

CV> I see. But that's a Cygwin specific problem only, AFAICS. Since
CV> `_dll_crt0' creates hMainProc as a duplicate of `GetCurrentProcess()'
CV> all processes have a real process handle to itself with full access
CV> rights which could be duplicated by other processes. I'm not sure
CV> why this is done because the return value of `GetCurrentProcess()'
CV> should fit our needs and it can neither be duplicated nor used by
CV> other processes.

well, we can remove or restrict rights on hMainProcess, but it'll just
make exploit a bit harder.
for example, process A may need to open some sensitive file he has
access to, and process B will be able to duplicate it.
Or i'll wait till some process calls fork(), and duplicate child's handle
it's got from CreateProcess()

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]