Truecrypt 7 Derived Code/Windows: Incorrect Impersonation Token Handling EoP [42452041]

Fixed

Bug

Status Update

No update yet.

Description

fo...@google.com

created issue #1

Sep 18, 2015 09:33AM

Truecrypt 7 Derived Code/Windows: Incorrect Impersonation Token Handling EoP
Platform: Windows
Class: Local Elevation of Privilege

Summary:
The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by checking process of impersonation token which allow a user to inspect and potentially manipulate other users mounted encrypted volumes on the same machine.

Description:

The methods IsVolumeAccessibleByCurrentUser and MountDevice in Ntdriver.c use the SeCaptureSubjectContext to get the current user security context for the caller. They then use the SeQuerySubjectContextToken macro to extract the current active token, either the primary or impersonation token. In the impersonation token case no checks are made on the current impersonation level, this means one user could impersonate a user at SecurityIdentify level and pretend to be another leading to a security bypass. I think the only thing this gives an attacker would be to unmount other users volumes or inspect their configuration.

Note I don’t believe this is really a serious issue as if you’re mounting encrypted volumes on shared machine and leaving them mounted I think you’ve got other problems. Still I believe it’s an easy change to fix it if anything for consistency. Also this wasn’t reported in the iSec Partners security review so it’s not an missed fix.

Fixing the Issue:
My personal recommendation would be to only ever use the primary token when determining the user information. Either by referencing SECURITY_SUBJECT_CONTEXT::PrimaryToken or calling PsReferencePrimaryToken. Of course if impersonation must be supported then when using an impersonation token verify that subContext->ImpersonationLevel is greater or equal to SecurityImpersonation and either fall back to the primary token or return STATUS_ACCESS_DENIED. For example:

SeCaptureSubjectContext (&subContext);
if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
accessToken = subContext->ClientToken;
else
accessToken = subContext->PrimaryToken;

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comments

fo...@google.com <fo...@google.com> #2Sep 26, 2015 09:51PM

Fixed in Veracrypt 1.15, see

https://veracrypt.codeplex.com/wikipage?title=Release%20Notes

fo...@google.com <fo...@google.com> #3Oct 3, 2015 04:52PM

Marked as fixed.

Remove view restrictions

ja...@gmail.com <ja...@gmail.com> #4Oct 7, 2015 10:17AM

In the future it would be nice to contact us (security@ciphershed.org). We had to find out from third parties.

bo...@gmail.com <bo...@gmail.com> #5Nov 24, 2015 07:06PM

Thank you for the information brother, the code or program for what brother?

https://www.bestautocars.xyz/

ar...@gmail.com <ar...@gmail.com> #6Feb 5, 2016 01:57PM

[Comment Deleted]

is...@google.com <is...@google.com> #7Feb 5, 2016 01:57PM

This issue was migrated from

crbug.com/project-zero/537?no_tracker_redirect=1

[Auto-CCs applied]

Issue 42452041