Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com Date: Wed, 18 Apr 2001 15:07:30 -0400 From: Christopher Faylor To: cygdev Subject: Re: handle protection - please comment Message-ID: <20010418150730.C3648@redhat.com> Reply-To: cygwin-developers AT cygwin DOT com Mail-Followup-To: cygdev References: <20010418120530 DOT Q15962 AT cygbert DOT vinschen DOT de> <00a401c0c7f0$02bb1f30$0200a8c0 AT lifelesswks> <13327115627 DOT 20010418144700 AT logos-m DOT ru> <20010418155552 DOT S15962 AT cygbert DOT vinschen DOT de> <175340295909 DOT 20010418182640 AT logos-m DOT ru> <20010418164712 DOT J15005 AT cygbert DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.11i In-Reply-To: <20010418164712.J15005@cygbert.vinschen.de>; from vinschen@redhat.com on Wed, Apr 18, 2001 at 04:47:12PM +0200 On Wed, Apr 18, 2001 at 04:47:12PM +0200, Corinna Vinschen wrote: >On Wed, Apr 18, 2001 at 06:26:40PM +0400, egor duda wrote: >> CV> Process A needs a handle to a thing T which is owned by process B. >> CV> To get the handle, the owner B needs to get the process handle of >> CV> A to duplicate the handle and return it to A. So if A is the attacker >> CV> it has no chance to undergo the permissions of B since it never >> CV> sees the process handle of B. OTOH, if B is a malicious server, it >> CV> has no chance to use ReadProcessMemory() if A gives B the own process >> CV> handle with only PROCESS_DUP_HANDLE access. >> >> the problem is that if i (process B) have handle of process with only >> PROCESS_DUP_HANDLE access, and process A have at least one private >> handle of itself with full access, i can elevate my privileges >> using the code quoted above. for cygwin programs the second thing is >> true -- every process has hMainProcess handle of itself. It won't give >> it to me, sure, but i can just try to guess it. i'll start duplicating >> all values 0x4,0x8,0xc,0x10,... (remember, i can duplicate handles >> from process A), and sooner or later i'll find hMainProcess. voila, >> process B have all access to process' A address space. > >I see. But that's a Cygwin specific problem only, AFAICS. Since >`_dll_crt0' creates hMainProc as a duplicate of `GetCurrentProcess()' >all processes have a real process handle to itself with full access >rights which could be duplicated by other processes. I'm not sure >why this is done because the return value of `GetCurrentProcess()' >should fit our needs and it can neither be duplicated nor used by >other processes. This handle is inherited by child processes. I also did it to avoid the overhead of calling GetCurrentProcess repeatedly. cgf