CPP: Windows leaked handles

[bananabr]

Query PR

github/codeql#16618

Language

C/C++

CVE(s) ID list

• CVE-2016-0099

CWE

CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Report

What is the vulnerability?
The vulnerability is the potential leakage of a privileged handle to a child process through the CreateProcessAsUser call with handle inheritance enabled.

How does the vulnerability work?
If a handle to a process, thread, or file is opened with specific permissions and not properly closed before creating a new process with handle inheritance enabled, the handle may be inherited by the child process, leading to possible privilege escalation.

What strategy do you use in your query to find the vulnerability?
The query identifies calls to CreateProcessAsUser with handle inheritance enabled that are preceded by handle opening calls (such as OpenProcess, OpenThread, or CreateFile) with specific permissions and checks if these handles are not closed before the CreateProcessAsUser call.

How have you reduced the number of false positives?
The query limits itself to a single function scope, simplifying its implementation and using the code line numbers to check for the order the target calls hapen.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[sylwia-budzynska]

Hi @bananabr 👋

For the query to go forward in the triaging process, we would need a few things updated:

• your query should be able to detect a CVE. The CVE that you noted is in a closed source product and we can't test that your query finds this specific CVE. Could you find a CVE that your query would be able to find and provide a CodeQL database with the CVE present?
• the query should be able to detect new true positive vulnerabilities. I ran a MRVA run with the MRVA top 1000 list and our internal list using this query, but the query didn't find any new vulnerabilities. It could be that the vulnerability is not that popular or that the query itself could be improved. Could you provide a list of projects, in which this query finds new vulnerabilities? Or improve the query in another way?
• Like you said, the solution with checking if “handle opening call” (OpenProcess, OpenThread, or CreateFile) is called before CreateProcessAsUser call by looking at the line numbers, which limits the detection to a single function scope - we generally do not want to limit vulnerabilities to a single function scope in CodeQL and prefer not to use line numbers for comparison. You may be able to improve it by using the control flow graph layer of CodeQL.

Unfortunately in the current state the query does not fulfill the requirements (see especially rule 4) and is not eligible for a reward under the Bug Bounty program.

Let me know what you decide!

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[bananabr]

Hey @sylwia-budzynska,

I understand your point. This is indeed a Window-specific problem and I don't think many widely-used open-source projects would be vulnerable. Microsoft has fallen victim to this error time and time again though, so it might still be useful internally for you guys.

It's ok if I don't get a bounty this time, just thought it was a good idea for a query ;)

Cheers,

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Thanks for the submission!

We have reviewed your report and validated your findings. As we noted earlier, this submission does not fulfill the criteria to be included into the CodeQL query suites and is not eligible for a reward under the Bug Bounty program.

However, we find this query is a good candidate for the CodeQL-Community-Packs. We invite you to submit this query as pull request to the CodeQL-Community-Packs repo (into the folder cpp/src/security/CWE-403). We think this contribution will be valuable for the community and we’d still like to offer you a $500 “thank you” reward.

Best regards and happy hacking!

[xcorail]

Created Hackerone report 2537457 for bounty 584568 : [827] CPP: Windows leaked handles

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[bananabr]

@xcorail,

Could you please make the report author in hackerone vovohelo. That is my hackerone account.

Thank you!

[xcorail]

Hey. Sorry I was off.
Let me see what I can do.
I guess your email is « vovohelo@wearehackerone.com »?

[bananabr]

yes

[bananabr]

It's the same case as in #816.

[xcorail]

Can you please check now? H1 sent you an email to claim the bounty