GetSystem() leaks token handle to CSRSS' token.
JohnLaTwC opened this issue · comments
John Lambert commented
GetSystem
leaks token handle to CSRSS' token. The code should add a CloseHandle (hToken)
before returning.
// Impersonate CSRSS, which runs as SYSTEM
bool GetSystem()
{
HANDLE hToken = NULL;
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
CsrGetProcessId_t pCsrGetProcessId = (CsrGetProcessId_t)GetProcAddress(hNtdll, "CsrGetProcessId");
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pCsrGetProcessId());
! if (OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) <<< acquiring hToken
{
CloseHandle(hProcess);
! return ImpersonateLoggedOnUser(hToken); <<< return path fails to close hToken
}
Log(Error, "Failed to open CSRSS's token");
CloseHandle(hProcess);
return false;
}
Line 75 in ba4798a
Gabriel Landau commented
Thanks. Fixed in da270ab