From 4a215c2ddbb3a960c28f9f5a79e3d7ad8de77496 Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Thu, 5 Dec 2019 13:27:13 +0100
Subject: Windows: Modify memory process protection when running with admin
 privileges to allow calling functions needed for CVE-2019-19501 fix while
 still protecting against memory access by non-admin processes.

---
 src/Common/Dlgcode.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index 39db3936..47578b27 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -14017,6 +14017,17 @@ BOOL EnableProcessProtection()
     PACL pACL = NULL;
     DWORD cbACL = 0;
 
+	// Acces mask
+	DWORD dwAccessMask = SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE; // same as protected process
+	
+	if (IsAdmin ())
+	{
+		// if we are running elevated, we allow CreateProcessXXX calls alongside PROCESS_DUP_HANDLE and PROCESS_QUERY_INFORMATION in order to be able 
+		// to implement secure way to open URLs (cf RunAsDesktopUser)
+		// we are still protecting against memory access from non-admon processes
+		dwAccessMask |= PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION;
+	}
+
     // Open the access token associated with the calling process
     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
         goto Cleanup;
@@ -14055,7 +14066,7 @@ BOOL EnableProcessProtection()
     if (!AddAccessAllowedAce(
             pACL,
             ACL_REVISION,
-            SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // same as protected process
+            dwAccessMask,
             pTokenUser->User.Sid // pointer to the trustee's SID
             )) {
         goto Cleanup;
-- 
cgit v1.2.3