Windows: Modify memory process protection when running with admin privileges to allow calling functions needed for CVE-2019-19501 fix while still protecting against memory access by non-admin processes.

This commit is contained in:
Mounir IDRASSI 2019-12-05 13:27:13 +01:00
parent 27d1f404f1
commit 4a215c2ddb
No known key found for this signature in database
GPG Key ID: 02C30AE90FAE4A6F

View File

@ -14017,6 +14017,17 @@ BOOL EnableProcessProtection()
PACL pACL = NULL; PACL pACL = NULL;
DWORD cbACL = 0; DWORD cbACL = 0;
// Acces mask
DWORD dwAccessMask = SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE; // same as protected process
if (IsAdmin ())
{
// if we are running elevated, we allow CreateProcessXXX calls alongside PROCESS_DUP_HANDLE and PROCESS_QUERY_INFORMATION in order to be able
// to implement secure way to open URLs (cf RunAsDesktopUser)
// we are still protecting against memory access from non-admon processes
dwAccessMask |= PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION;
}
// Open the access token associated with the calling process // Open the access token associated with the calling process
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
goto Cleanup; goto Cleanup;
@ -14055,7 +14066,7 @@ BOOL EnableProcessProtection()
if (!AddAccessAllowedAce( if (!AddAccessAllowedAce(
pACL, pACL,
ACL_REVISION, ACL_REVISION,
SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // same as protected process dwAccessMask,
pTokenUser->User.Sid // pointer to the trustee's SID pTokenUser->User.Sid // pointer to the trustee's SID
)) { )) {
goto Cleanup; goto Cleanup;