Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 19:08:26 -06:00
Code Activity

Windows Driver: Fix inherited TrueCrypt local elevation of privilege vulnerability caused by incorrect impersonation token handling. Reported and fixed by James Forshaw (Google)

Browse Source
This commit is contained in:
Mounir IDRASSI
2015-09-21 17:09:26 +02:00
parent fda4d3f820
commit b7f9df6e4f
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/Driver/Ntdriver.c
View File

@@ -2664,7 +2664,10 @@ NTSTATUS MountDevice (PDEVICE_OBJECT DeviceObject, MOUNT_STRUCT *mount)
SeCaptureSubjectContext (&subContext); SeCaptureSubjectContext (&subContext);
SeLockSubjectContext(&subContext); SeLockSubjectContext(&subContext);
accessToken = SeQuerySubjectContextToken (&subContext); if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
accessToken = subContext.ClientToken;
else
accessToken = subContext.PrimaryToken;
if (!accessToken) if (!accessToken)
{ {
@@ -3403,7 +3406,11 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension)
} }
SeCaptureSubjectContext (&subContext); SeCaptureSubjectContext (&subContext);
accessToken = SeQuerySubjectContextToken (&subContext); SeLockSubjectContext(&subContext);
if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
accessToken = subContext.ClientToken;
else
accessToken = subContext.PrimaryToken;
if (!accessToken) if (!accessToken)
goto ret; goto ret;
@@ -3421,6 +3428,7 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension)
ExFreePool (tokenUser); // Documented in newer versions of WDK ExFreePool (tokenUser); // Documented in newer versions of WDK
ret: ret:
SeUnlockSubjectContext(&subContext);
SeReleaseSubjectContext (&subContext); SeReleaseSubjectContext (&subContext);
return result; return result;
} }