From 4a215c2ddbb3a960c28f9f5a79e3d7ad8de77496 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Thu, 5 Dec 2019 13:27:13 +0100 Subject: Windows: Modify memory process protection when running with admin privileges to allow calling functions needed for CVE-2019-19501 fix while still protecting against memory access by non-admin processes. --- src/Common/Dlgcode.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'src/Common') diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index 39db3936..47578b27 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -14017,6 +14017,17 @@ BOOL EnableProcessProtection() PACL pACL = NULL; DWORD cbACL = 0; + // Acces mask + DWORD dwAccessMask = SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE; // same as protected process + + if (IsAdmin ()) + { + // if we are running elevated, we allow CreateProcessXXX calls alongside PROCESS_DUP_HANDLE and PROCESS_QUERY_INFORMATION in order to be able + // to implement secure way to open URLs (cf RunAsDesktopUser) + // we are still protecting against memory access from non-admon processes + dwAccessMask |= PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION; + } + // Open the access token associated with the calling process if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { goto Cleanup; @@ -14055,7 +14066,7 @@ BOOL EnableProcessProtection() if (!AddAccessAllowedAce( pACL, ACL_REVISION, - SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // same as protected process + dwAccessMask, pTokenUser->User.Sid // pointer to the trustee's SID )) { goto Cleanup; -- cgit v1.2.3