diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2015-09-21 17:09:26 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2015-09-26 17:44:00 +0200 |
commit | b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2 (patch) | |
tree | 442efda966796d1dc32ad01ee74bd255ae041094 | |
parent | fda4d3f8200145cfbe57d3809a7e0898a4669320 (diff) | |
download | VeraCrypt-b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2.tar.gz VeraCrypt-b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2.zip |
Windows Driver: Fix inherited TrueCrypt local elevation of privilege vulnerability caused by incorrect impersonation token handling. Reported and fixed by James Forshaw (Google)
-rw-r--r-- | src/Driver/Ntdriver.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index 845aec6f..8c33a89c 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -2665,5 +2665,8 @@ NTSTATUS MountDevice (PDEVICE_OBJECT DeviceObject, MOUNT_STRUCT *mount) SeCaptureSubjectContext (&subContext);
SeLockSubjectContext(&subContext);
- accessToken = SeQuerySubjectContextToken (&subContext);
+ if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
+ accessToken = subContext.ClientToken;
+ else
+ accessToken = subContext.PrimaryToken;
if (!accessToken)
@@ -3404,5 +3407,9 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension) SeCaptureSubjectContext (&subContext);
- accessToken = SeQuerySubjectContextToken (&subContext);
+ SeLockSubjectContext(&subContext);
+ if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
+ accessToken = subContext.ClientToken;
+ else
+ accessToken = subContext.PrimaryToken;
if (!accessToken)
@@ -3422,4 +3429,5 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension) ret:
+ SeUnlockSubjectContext(&subContext);
SeReleaseSubjectContext (&subContext);
return result;
|