This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: handle protection - please comment


Hi!

Wednesday, 18 April, 2001 Corinna Vinschen vinschen@redhat.com wrote:

>> well, we can remove or restrict rights on hMainProcess, but it'll just
>> make exploit a bit harder.
>> for example, process A may need to open some sensitive file he has
>> access to, and process B will be able to duplicate it.
>> Or i'll wait till some process calls fork(), and duplicate child's handle
>> it's got from CreateProcess()

CV> Uhm, ok, but from my point of view it's an academic problem.
CV> The PROCESS_DUP_HANDLE permission on a process handle does _not_
CV> open up the other handles of a process if the access rights of
CV> these handles are set using appropriate values.

not academic, but rather practical. unfortunately. here's the
demonstration.

CV> For example process A has a handle H with ALL_ACCESS for the user
CV> of A and with R/O for the world. Giving it's process handle to
CV> process B of another user doesn't allow suddenly R/W access to
CV> process B. The user of B doesn't have that permission. So he's
CV> stuck at that point. It's in the responsibility of process A not
CV> to open up it's resources to others.

gcc -o /tmp/t.exe t.c

from admin account:
$ echo "secret info" > /tmp/secret
$ chmod 600 /tmp/secret

from normal user account start /tmp/t.exe
it'll print 'slave pid=<some pid>'
and blocks waiting for input.

then switch to admin account and run '/tmp/t.exe <slave_pid>'
it'll print 'master handle=<handle1> object handle=<handle2>'

switch back to client account and input <handle1> and <handle2>
values.

now look what /tmp/secret contains.

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19

t.c


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]