handle protection - please comment

Corinna Vinschen vinschen@redhat.com
Wed Apr 18 07:47:00 GMT 2001


On Wed, Apr 18, 2001 at 06:26:40PM +0400, egor duda wrote:
> CV> Process A needs a handle to a thing T which is owned by process B.
> CV> To get the handle, the owner B needs to get the process handle of
> CV> A to duplicate the handle and return it to A. So if A is the attacker
> CV> it has no chance to undergo the permissions of B since it never
> CV> sees the process handle of B. OTOH, if B is a malicious server, it
> CV> has no chance to use ReadProcessMemory() if A gives B the own process
> CV> handle with only PROCESS_DUP_HANDLE access.
> 
> the problem is that if i (process B) have handle of process with only
> PROCESS_DUP_HANDLE access, and process A have at least one private
> handle of itself with full access, i can elevate my privileges
> using the code quoted above. for cygwin programs the second thing is
> true -- every process has hMainProcess handle of itself. It won't give
> it to me, sure, but i can just try to guess it. i'll start duplicating
> all values 0x4,0x8,0xc,0x10,... (remember, i can duplicate handles
> from process  A), and sooner or later i'll find hMainProcess. voila,
> process B have all access to process' A address space.

I see. But that's a Cygwin specific problem only, AFAICS. Since
`_dll_crt0' creates hMainProc as a duplicate of `GetCurrentProcess()'
all processes have a real process handle to itself with full access
rights which could be duplicated by other processes. I'm not sure
why this is done because the return value of `GetCurrentProcess()'
should fit our needs and it can neither be duplicated nor used by
other processes.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-developers mailing list