Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com Date: Wed, 18 Apr 2001 18:26:40 +0400 From: egor duda X-Mailer: The Bat! (v1.45) Personal Reply-To: egor duda Organization: deo X-Priority: 3 (Normal) Message-ID: <175340295909.20010418182640@logos-m.ru> To: Corinna Vinschen Subject: Re: handle protection - please comment In-reply-To: <20010418155552.S15962@cygbert.vinschen.de> References: <20010418120530 DOT Q15962 AT cygbert DOT vinschen DOT de> <00a401c0c7f0$02bb1f30$0200a8c0 AT lifelesswks> <13327115627 DOT 20010418144700 AT logos-m DOT ru> <20010418155552 DOT S15962 AT cygbert DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi! Wednesday, 18 April, 2001 Corinna Vinschen vinschen AT redhat DOT com wrote: >> 4. Even if we restrict hProcessB to allow only handle duplication, but >> denying READ_VM and WRITE_VM, it wont help much. Malicious attacker >> can run this code: >> for (void* h = 0; ; h += 4) >> { >> h1 = duplicate_handle_from_process_b (h); >> if (ReadProcessMemory (h1, 0x61000000, buffer, 4096, &bytes_transfeered)) >> { >> printf ("Hooray! Got it at %p", h); >> do_bad_things (); >> break; >> } >> } >> to scan process' B handles in hope to find hMainProcess handle. And i >> bet it won't take long to find it. CV> Maybe I'm somewhat slow but isn't the situation exactly the other way CV> around? CV> Process A needs a handle to a thing T which is owned by process B. CV> To get the handle, the owner B needs to get the process handle of CV> A to duplicate the handle and return it to A. So if A is the attacker CV> it has no chance to undergo the permissions of B since it never CV> sees the process handle of B. OTOH, if B is a malicious server, it CV> has no chance to use ReadProcessMemory() if A gives B the own process CV> handle with only PROCESS_DUP_HANDLE access. the problem is that if i (process B) have handle of process with only PROCESS_DUP_HANDLE access, and process A have at least one private handle of itself with full access, i can elevate my privileges using the code quoted above. for cygwin programs the second thing is true -- every process has hMainProcess handle of itself. It won't give it to me, sure, but i can just try to guess it. i'll start duplicating all values 0x4,0x8,0xc,0x10,... (remember, i can duplicate handles from process A), and sooner or later i'll find hMainProcess. voila, process B have all access to process' A address space. Egor. mailto:deo AT logos-m DOT ru ICQ 5165414 FidoNet 2:5020/496.19