VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2015-09-21 17:09:26 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2015-09-26 17:44:00 +0200
commitb7f9df6e4f09ba342fdbbadc63af5062cc57eaf2 (patch)
tree442efda966796d1dc32ad01ee74bd255ae041094
parentfda4d3f8200145cfbe57d3809a7e0898a4669320 (diff)
downloadVeraCrypt-b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2.tar.gz
VeraCrypt-b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2.zip
Windows Driver: Fix inherited TrueCrypt local elevation of privilege vulnerability caused by incorrect impersonation token handling. Reported and fixed by James Forshaw (Google)
-rw-r--r--src/Driver/Ntdriver.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 845aec6f..8c33a89c 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -2665,5 +2665,8 @@ NTSTATUS MountDevice (PDEVICE_OBJECT DeviceObject, MOUNT_STRUCT *mount)
SeCaptureSubjectContext (&subContext);
SeLockSubjectContext(&subContext);
- accessToken = SeQuerySubjectContextToken (&subContext);
+ if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
+ accessToken = subContext.ClientToken;
+ else
+ accessToken = subContext.PrimaryToken;
if (!accessToken)
@@ -3404,5 +3407,9 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension)
SeCaptureSubjectContext (&subContext);
- accessToken = SeQuerySubjectContextToken (&subContext);
+ SeLockSubjectContext(&subContext);
+ if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
+ accessToken = subContext.ClientToken;
+ else
+ accessToken = subContext.PrimaryToken;
if (!accessToken)
@@ -3422,4 +3429,5 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension)
ret:
+ SeUnlockSubjectContext(&subContext);
SeReleaseSubjectContext (&subContext);
return result;