From b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2 Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Mon, 21 Sep 2015 17:09:26 +0200
Subject: Windows Driver: Fix inherited TrueCrypt local elevation of privilege
 vulnerability caused by incorrect impersonation token handling. Reported and
 fixed by James Forshaw (Google)

---
 src/Driver/Ntdriver.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src/Driver/Ntdriver.c')

diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 845aec6f..8c33a89c 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -2664,7 +2664,10 @@ NTSTATUS MountDevice (PDEVICE_OBJECT DeviceObject, MOUNT_STRUCT *mount)
 
 		SeCaptureSubjectContext (&subContext);
 		SeLockSubjectContext(&subContext);
-		accessToken = SeQuerySubjectContextToken (&subContext);
+		if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
+			accessToken = subContext.ClientToken;
+		else
+			accessToken = subContext.PrimaryToken;
 
 		if (!accessToken)
 		{
@@ -3403,7 +3406,11 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension)
 	}
 
 	SeCaptureSubjectContext (&subContext);
-	accessToken = SeQuerySubjectContextToken (&subContext);
+	SeLockSubjectContext(&subContext);
+	if (subContext.ClientToken && subContext.ImpersonationLevel >= SecurityImpersonation)
+		accessToken = subContext.ClientToken;
+	else
+		accessToken = subContext.PrimaryToken;
 
 	if (!accessToken)
 		goto ret;
@@ -3421,6 +3428,7 @@ BOOL IsVolumeAccessibleByCurrentUser (PEXTENSION volumeDeviceExtension)
 	ExFreePool (tokenUser);		// Documented in newer versions of WDK
 
 ret:
+	SeUnlockSubjectContext(&subContext);
 	SeReleaseSubjectContext (&subContext);
 	return result;
 }
-- 
cgit v1.2.3