handle protection - please comment

egor duda deo@logos-m.ru
Wed Apr 18 07:29:00 GMT 2001


Wednesday, 18 April, 2001 Corinna Vinschen vinschen@redhat.com wrote:

>> 4. Even if we restrict hProcessB to allow only handle duplication, but
>> denying READ_VM and WRITE_VM, it wont help much. Malicious attacker
>> can run this code:
>>   for (void* h = 0; ; h += 4)
>>     {
>>       h1 = duplicate_handle_from_process_b (h);
>>       if (ReadProcessMemory (h1, 0x61000000, buffer, 4096, &bytes_transfeered))
>>         {
>>           printf ("Hooray! Got it at %p", h);
>>           do_bad_things ();
>>           break;
>>         }
>>     }
>> to scan process' B handles in hope to find hMainProcess handle. And i
>> bet it won't take long to find it.

CV> Maybe I'm somewhat slow but isn't the situation exactly the other way
CV> around?

CV> Process A needs a handle to a thing T which is owned by process B.
CV> To get the handle, the owner B needs to get the process handle of
CV> A to duplicate the handle and return it to A. So if A is the attacker
CV> it has no chance to undergo the permissions of B since it never
CV> sees the process handle of B. OTOH, if B is a malicious server, it
CV> has no chance to use ReadProcessMemory() if A gives B the own process
CV> handle with only PROCESS_DUP_HANDLE access.

the problem is that if i (process B) have handle of process with only
PROCESS_DUP_HANDLE access, and process A have at least one private
handle of itself with full access, i can elevate my privileges
using the code quoted above. for cygwin programs the second thing is
true -- every process has hMainProcess handle of itself. It won't give
it to me, sure, but i can just try to guess it. i'll start duplicating
all values 0x4,0x8,0xc,0x10,... (remember, i can duplicate handles
from process  A), and sooner or later i'll find hMainProcess. voila,
process B have all access to process' A address space.

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19

More information about the Cygwin-developers mailing list