Truecrypt 7 Derived Code/Windows: Incorrect Impersonation Token Handling EoP

[GoogleCodeExporter]

Truecrypt 7 Derived Code/Windows: Incorrect Impersonation Token Handling EoP
Platform: Windows
Class: Local Elevation of Privilege

Summary:
The Windows driver used by projects derived from Truecrypt 7 (verified in 
Veracrypt and CipherShed) are vulnerable to a local elevation of privilege 
attack by checking process of impersonation token which allow a user to inspect 
and potentially manipulate other users mounted encrypted volumes on the same 
machine.

Description:

The methods IsVolumeAccessibleByCurrentUser and MountDevice in Ntdriver.c use 
the SeCaptureSubjectContext to get the current user security context for the 
caller. They then use the SeQuerySubjectContextToken macro to extract the 
current active token, either the primary or impersonation token. In the 
impersonation token case no checks are made on the current impersonation level, 
this means one user could impersonate a user at SecurityIdentify level and 
pretend to be another leading to a security bypass. I think the only thing this 
gives an attacker would be to unmount other users volumes or inspect their 
configuration.

Note I don’t believe this is really a serious issue as if you’re mounting 
encrypted volumes on shared machine and leaving them mounted I think you’ve 
got other problems. Still I believe it’s an easy change to fix it if anything 
for consistency. Also this wasn’t reported in the iSec Partners security 
review so it’s not an missed fix.

Fixing the Issue:
My personal recommendation would be to only ever use the primary token when 
determining the user information. Either by referencing 
SECURITY_SUBJECT_CONTEXT::PrimaryToken or calling PsReferencePrimaryToken. Of 
course if impersonation must be supported then when using an impersonation 
token verify that subContext->ImpersonationLevel is greater or equal to 
SecurityImpersonation and either fall back to the primary token or return 
STATUS_ACCESS_DENIED. For example:

SeCaptureSubjectContext (&subContext);
if (subContext.ClientToken && subContext.ImpersonationLevel >= 
SecurityImpersonation)
  accessToken = subContext->ClientToken;
else
  accessToken = subContext->PrimaryToken;

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 18 Sep 2015 at 9:33

[GoogleCodeExporter]

Fixed in Veracrypt 1.15, see 
https://veracrypt.codeplex.com/wikipage?title=Release%20Notes

Original comment by fors...@google.com on 26 Sep 2015 at 9:51

• Added labels: CVE-2015-7359

[GoogleCodeExporter]

Remove view restrictions

Original comment by fors...@google.com on 3 Oct 2015 at 4:52

• Changed state: Fixed
• Removed labels: Restrict-View-Commit