HANDLE with care
justin December 5th, 2006
I made a very poorly conceived last minute change to the description of object handles on page 632; this mistake can be blamed primarily on a lack of sleep and a broken test environment. Basically, I wrote that you can use NtQuerySystemInformation() to retrieve unnamed object handles with weak permissions. The truth is that permissions don’t apply when duplicating open handles, which I explained properly elsewhere in the chapter. The crux of this error is really that I failed to address the PROCESS_DUP_HANDLE permission and how it prevents exactly that attack vector.
Essentially, duplicating handles between processes requires PROCESS_DUP_HANDLE permissions for both the source and destination processes; otherwise the call to DuplicateHandle() will fail with access denied. This is important to note because having PROCESS_DUP_HANDLE permission for another process allows you to duplicate that process’ pseudo-handle for itself. The resulting handle grants full rights to the target process, including arbitrary manipulation of memory.
In the end, I think we’ve all learned a really valuable lesson about trusting judgment calls when under the influence of deadlines.
