Safely Impersonating Another User

re: Safely Impersonating Another User

Maheshwar Jayaraman — Wed, 23 Mar 2005 03:06:00 GMT

I may be missing something here...
Wont the finally be called even when there was an exception and so the
impersonationContext.Undo(); will be called twice in case of an exception!

re: Safely Impersonating Another User

Nicole Calinoiu — Wed, 23 Mar 2005 11:24:00 GMT

Isn't it a wee bit late in the game to be considering this sort of thing to be a _subtle_ security hole? Allowing any caller code to run in the impersonation context strikes me as a severe security hole, with potential subtlety being a matter of discoverability only. For example, if DoSomeWorkWhileImpersonating() were to use a previously assigned delegate, that might be considered subtle, but only in the sense of "not immediately obvious to a reviewer of the code". Failure to implement a reversion pattern that accounts for potential exceptions is not particularly difficult to discover by either well-intentioned or malign examiners of one's code, and it's often relatively easy to exploit as well...

re: Safely Impersonating Another User

Shawn — Wed, 23 Mar 2005 15:37:00 GMT

Good catch Maheshwar -- that could would indeed double undo, and even more importantly double CloseHandle. I've updated it to solve the problem.

-Shawn

re: Safely Impersonating Another User

Shawn — Wed, 23 Mar 2005 15:32:00 GMT

Nicole,

This is a very severe hole. You're right, the subtlety I was referring to was the ability for a code reviewer to find the hole, or the initial programmer to know it was there in the first place. Obviously its a problem if you're using managed code or not, but I think it becomes a bit more of an issue in managed langauges since we get so used to security state being tied to the stack frame, and thus being safe from situations like this.

The double-subtlety here is that you can get bitten by first-chance exception handling, which is something a lot of people who are C# only developers would tend to not think about either.

-Shawn

Safe Impersonation With Whidbey

.Net Security Blog — Fri, 25 Mar 2005 00:14:00 GMT

Safe Impersonation With Whidbey

.Net Security Blog — Fri, 25 Mar 2005 00:16:00 GMT

More on First Pass Exception Issues

.Net Security Blog — Thu, 31 Mar 2005 23:43:00 GMT

Windows Impersonation in ASP.NET

Pierre Greborio.NET — Sun, 10 Apr 2005 11:58:29 GMT

Re: Windows Impersonation in ASP.NET

Daniel Fisher(lennybacon) on C# and .Net from Wuppertal — Mon, 20 Jun 2005 09:52:12 GMT

Re: Windows Impersonation in ASP.NET

Daniel Fisher(lennybacon) on C# and .Net from Wuppertal — Mon, 20 Jun 2005 09:52:14 GMT

Re: Windows Impersonation in ASP.NET

Daniel Fisher(lennybacon) on C# and .Net from Wuppertal — Mon, 20 Jun 2005 09:53:45 GMT

Re: Windows Impersonation in ASP.NET

Daniel Fisher(lennybacon) on C# and .Net from Wuppertal — Mon, 20 Jun 2005 09:53:49 GMT

So, What Was Wrong with That Code Anyway?

K. Scott Allen — Thu, 07 Dec 2006 06:07:14 GMT

WWWTC #9 ranks 10 out of 10 on the "difficult and subtle" scale. Let's say we write the following...

So, What Was Wrong with That Code Anyway?

Mirror blog entries from the industry — Thu, 07 Dec 2006 07:10:03 GMT

WWWTC #9 ranks 10 out of 10 on the "difficult and subtle" scale. Let's say we write the following code

re: Safely Impersonating Another User

Hafthor — Thu, 08 Feb 2007 20:28:27 GMT

Regarding IDisposable wrapping WindowsImpersonationContext -- Dispose method on WindowsImpersonationContext already calls Undo().

// Declaring Type: System.Security.Principal.WindowsImpersonationContext

// Assembly: mscorlib, Version=2.0.0.0

[ComVisible(false)]

public void Dispose()

{

this.Dispose(true);

}

[ComVisible(false)]

protected virtual void Dispose(bool disposing)

{

if ((disposing && (this.m_safeTokenHandle != null)) && !this.m_safeTokenHandle.IsClosed)

{

this.Undo();

this.m_safeTokenHandle.Dispose();

}

so couldn't you do

try

{

// Begin impersonating the user, relying on Dispose to call Undo

using(WindowsImpersonationContext impersonationContext = WindowsIdentity.Impersonate(userHandle.Token))

{

DoSomeWorkWhileImpersonating();

}

catch // end search for qualifying exception handler to prevent exception filter exploit

{

throw;

}

re: Safely Impersonating Another User

shawnfa — Tue, 20 Feb 2007 22:22:10 GMT

You're right, it does, but the second call isn't hurting anything either and it makes the intention of the code more clear to the reader.

-Shawn

Brian Low » Impersonate User

Brian Low » Impersonate User — Sat, 21 Apr 2007 02:30:18 GMT

PingBack from http://www.brianlow.com/index.php/2007/04/20/impersonate-user/