Mailing-List:	contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin-developers/>
List-Post:	<mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help:	<mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To:	mailing list cygwin-developers AT sources DOT redhat DOT com
Date:	Wed, 18 Apr 2001 15:55:52 +0200
From:	Corinna Vinschen <vinschen AT redhat DOT com>
To:	cygdev <cygwin-developers AT cygwin DOT com>
Subject:	Re: handle protection - please comment
Message-ID:	<20010418155552.S15962@cygbert.vinschen.de>
Reply-To:	Corinna Vinschen <cygwin-developers AT cygwin DOT com>
Mail-Followup-To:	cygdev <cygwin-developers AT cygwin DOT com>
References:	<EA18B9FA0FE4194AA2B4CDB91F73C0EF79C2 AT itdomain002 DOT itdomain DOT net DOT au> <20010418120530 DOT Q15962 AT cygbert DOT vinschen DOT de> <00a401c0c7f0$02bb1f30$0200a8c0 AT lifelesswks> <13327115627 DOT 20010418144700 AT logos-m DOT ru>
Mime-Version:	1.0
User-Agent:	Mutt/1.2.5i
In-Reply-To:	<13327115627.20010418144700@logos-m.ru>; from deo@logos-m.ru on Wed, Apr 18, 2001 at 02:47:00PM +0400

On Wed, Apr 18, 2001 at 02:47:00PM +0400, egor duda wrote:
> Hi!
> 
> Wednesday, 18 April, 2001 Robert Collins robert DOT collins AT itdomain DOT com DOT au wrote:
> 
> RC> The thing egor as talking about was child process's needing to read the
> RC> parents open handles, and that programs than setuid are apparently
> RC> setting the perms to everyone, all to allow the child process with it's
> RC> different uid to read the handles. He was proposing a server model,
> RC> which I don't like because
> RC> a) it adds complexity and overhead
> RC> b) I don't believe _we_ should be doing the access checking, we should
> RC> be passing that back to NT to do.
> 
> i can't see how you can avoid server model. Here's my rationale:
> 
> 1. process A which opens tty (not necessary child, it can be any
> unrelated process, which opens, say, /dev/tty0) have to obtain handle
> of tty pipes.
> 2. Only way to obtain this pipe handles under win32 is to call
> DuplicateHandle() from address space of process B, which is master for
> tty0
> 3. To call DuplicateHandle () we must have handle of process B. Having
> this handle we can ReadProcessMamory() and WriteProcessMemory() to the
> address space of process A.
> 4. Even if we restrict hProcessB to allow only handle duplication, but
> denying READ_VM and WRITE_VM, it wont help much. Malicious attacker
> can run this code:
>   for (void* h = 0; ; h += 4)
>     {
>       h1 = duplicate_handle_from_process_b (h);
>       if (ReadProcessMemory (h1, 0x61000000, buffer, 4096, &bytes_transfeered))
>         {
>           printf ("Hooray! Got it at %p", h);
>           do_bad_things ();
>           break;
>         }
>     }
> to scan process' B handles in hope to find hMainProcess handle. And i
> bet it won't take long to find it.

Maybe I'm somewhat slow but isn't the situation exactly the other way
around?

Process A needs a handle to a thing T which is owned by process B.
To get the handle, the owner B needs to get the process handle of
A to duplicate the handle and return it to A. So if A is the attacker
it has no chance to undergo the permissions of B since it never
sees the process handle of B. OTOH, if B is a malicious server, it
has no chance to use ReadProcessMemory() if A gives B the own process
handle with only PROCESS_DUP_HANDLE access.

What is the problem here?
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

- Raw text -