Vitaliy Margolen wrote:
After checking object's SD against token we fail some tests. What it seems to me is that some one tried to "optimize" this part in windows and instead created a security problem.
If you already have a valid handle to the object, then it isn't really a security problem to have another one with the same access rights.
@@ -450,25 +453,34 @@ obj_handle_t duplicate_handle( struct pr unsigned int access, unsigned int attr, unsigned int options ) { obj_handle_t res;
struct handle_entry *entry;
unsigned int src_access, dst_access; struct object *obj = get_handle_obj( src, src_handle, 0, NULL );
if (!obj) return 0;
- if (options & DUP_HANDLE_SAME_ACCESS)
- if ((entry = get_handle( src, src_handle )))
src_access = entry->access;
- else /* pseudo-handle, give it full access */ {
struct handle_entry *entry = get_handle( src, src_handle );
if (entry)
access = entry->access;
else /* pseudo-handle, give it full access */
{
access = obj->ops->map_access( obj, GENERIC_ALL );
clear_error();
}
src_access = obj->ops->map_access( obj, GENERIC_ALL );
}clear_error();
- access &= ~RESERVED_ALL;
- src_access &= ~RESERVED_ALL;
- if (options & DUP_HANDLE_SAME_ACCESS)
dst_access = src_access;
- else
dst_access = obj->ops->map_access( obj, access ) & ~RESERVED_ALL;
- /* asking for more or the same/less access rights */
- access = ~src_access & dst_access ? dst_access : 0;
- if (options & DUP_HANDLE_MAKE_GLOBAL) res = alloc_global_handle( obj, access ); else res = alloc_handle( dst, obj, access, attr );
- if (res) get_handle( dst, res )->access = dst_access;
It would seem better to add an extra parameter to alloc_handle and alloc_global_handle to tell them to not check access rather than adding this hack. It should use less processor time and it should make patch 2 not necessary.
Robert Shearman wrote:
Vitaliy Margolen wrote:
After checking object's SD against token we fail some tests. What it seems to me is that some one tried to "optimize" this part in windows and instead created a security problem.
If you already have a valid handle to the object, then it isn't really a security problem to have another one with the same access rights.
Actually that's a pseudo-handle from GetCurrentProcess(). Which can be duplicated into say global handle with maximum access. So when an app creates a process and sets any access restrictions on it, it's all useless for the process itself - as it can always gain 100% access to itself, and give that 100% access to anyone who wants.
Vitaliy.