Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential security issue #34

Merged
merged 4 commits into from
Apr 16, 2024
Merged

Fix potential security issue #34

merged 4 commits into from
Apr 16, 2024

Conversation

oberrich
Copy link
Contributor

@DoumanAsh
Copy link
Owner

Sorry, I understand there is bug in chromium, but is there reference to MS documentation indicating that CloseClipboard() has such security problem?

@oberrich
Copy link
Contributor Author

oberrich commented Apr 16, 2024
edited
Loading

Sorry, I understand there is bug in chromium, but is there reference to MS documentation indicating that CloseClipboard() has such security problem?

https://www.exploit-db.com/exploits/38199 (This also contains a PoC)
https://learn.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-097
https://www.cve.org/CVERecord?id=CVE-2015-2511 (I guess)

@DoumanAsh
Copy link
Owner

Thank you, I will read it later this evening to confirm impact

@oberrich
Copy link
Contributor Author

oberrich commented Apr 16, 2024
edited
Loading

Thank you, I will read it later this evening to confirm impact

This should only affect users who use clipboard-win from a system process. Rough tl;dr as I understand it: The windows kernel potentially leaks a token when you close clipboard from system process without first impersonating the system's anonymous logon token (ImpersonateAnonymousToken). Leaked token can be obtained via NtUserGetClipboardAccessToken syscall.

@DoumanAsh
Copy link
Owner

From my understanding this is problem only for any elevated processes actually.
I wonder if this should be checked only for these?

I could implement one time check using CheckTokenMembership whether process is running with admin privileges
Although I wonder if it is worth to do

@DoumanAsh
Copy link
Owner

@oberrich I made small correction to PR fd26c59

Note that _ drops object immediately so if you want to RevertSelf correctly you should have actual binding

@oberrich
Copy link
Contributor Author

oberrich commented Apr 16, 2024
edited
Loading

I could implement one time check using CheckTokenMembership whether process is running with admin privileges Although I wonder if it is worth to do

Highly doubtful, performance difference is probably negligible and this would be premature optimization. This operation is safe to be called unconditionally as Chromium implements this identically in C++.

Good catch with the drop! I’m new to rust and forgot about that 😅

@DoumanAsh DoumanAsh merged commit 9894a70 into DoumanAsh:master Apr 16, 2024
1 check passed
@DoumanAsh
Copy link
Owner

Anyway thanks for PR

I released 5.3.1 which includes this PR

@oberrich oberrich deleted the patch-1 branch April 16, 2024 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@oberrich @DoumanAsh