Question about handles when doing impersonation.

Discussion in 'ASP .Net Security' started by Ken Varn, Oct 11, 2005.

  1. Ken Varn

    Ken Varn Guest

    I am using WindowsIdentity.Impersonate() to impersonate using a logon token
    acquired from the Win32 LogonUser account.

    I was wondering if it is safe to close the LogonUser handle passed to the
    WindowsIdentity constructor while the WindowsIdentity object is still in
    use, or does the WindowsIdentity object close it when it is destroyed. I am
    not quite sure what is done behind the scenes by the WindowsIdentity class
    in this respect.





    --
    -----------------------------------
    Ken Varn
    Senior Software Engineer
    Diebold Inc.

    EmailID = varnk
    Domain = Diebold.com
    -----------------------------------
     
    Ken Varn, Oct 11, 2005
    #1
    1. Advertising

  2. Hello Ken,

    internally WindowsIdentity uses the SafeTokenHandle class to close the handle

    the cleanest approach is:

    using (WindowsIdentity id = new WindowsIdentity(token))
    using (WindowsImpersonationContext wic = id.Impersonate())
    {
    try
    {}
    catch
    {
    // in this scenario catching the exception is extemely important - because
    of ExceptionFilter vulnerabilty
    }
    }
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am using WindowsIdentity.Impersonate() to impersonate using a logon
    > token acquired from the Win32 LogonUser account.
    >
    > I was wondering if it is safe to close the LogonUser handle passed to
    > the WindowsIdentity constructor while the WindowsIdentity object is
    > still in use, or does the WindowsIdentity object close it when it is
    > destroyed. I am not quite sure what is done behind the scenes by the
    > WindowsIdentity class in this respect.
    >
    > EmailID = varnk
    > Domain = Diebold.com
    > -----------------------------------
     
    Dominick Baier [DevelopMentor], Oct 11, 2005
    #2
    1. Advertising

  3. Ken Varn

    Ken Varn Guest

    Does WindowsIdentity duplicate the handle on construction? I am basically
    wondering if I should close the handle that I passed into the
    WindowsIdentity constructor after I create the WindowsIdentity object.

    --
    -----------------------------------
    Ken Varn
    Senior Software Engineer
    Diebold Inc.

    EmailID = varnk
    Domain = Diebold.com
    -----------------------------------
    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Ken,
    >
    > internally WindowsIdentity uses the SafeTokenHandle class to close the

    handle
    >
    > the cleanest approach is:
    >
    > using (WindowsIdentity id = new WindowsIdentity(token))
    > using (WindowsImpersonationContext wic = id.Impersonate())
    > {
    > try
    > {}
    > catch
    > {
    > // in this scenario catching the exception is extemely important -

    because
    > of ExceptionFilter vulnerabilty
    > }
    > }
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I am using WindowsIdentity.Impersonate() to impersonate using a logon
    > > token acquired from the Win32 LogonUser account.
    > >
    > > I was wondering if it is safe to close the LogonUser handle passed to
    > > the WindowsIdentity constructor while the WindowsIdentity object is
    > > still in use, or does the WindowsIdentity object close it when it is
    > > destroyed. I am not quite sure what is done behind the scenes by the
    > > WindowsIdentity class in this respect.
    > >
    > > EmailID = varnk
    > > Domain = Diebold.com
    > > -----------------------------------

    >
    >
     
    Ken Varn, Oct 11, 2005
    #3
  4. Hello Ken,

    the handle is duplicated in the ctor of WindowsIdentity - that means you
    should manually close it by calling win32 CloseHandle.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Does WindowsIdentity duplicate the handle on construction? I am
    > basically wondering if I should close the handle that I passed into
    > the WindowsIdentity constructor after I create the WindowsIdentity
    > object.
    >
    > EmailID = varnk
    > Domain = Diebold.com
    > -----------------------------------
    > "Dominick Baier [DevelopMentor]"
    > <>
    > wrote in message
    > news:...
    >> Hello Ken,
    >>
    >> internally WindowsIdentity uses the SafeTokenHandle class to close
    >> the
    >>

    > handle
    >
    >> the cleanest approach is:
    >>
    >> using (WindowsIdentity id = new WindowsIdentity(token))
    >> using (WindowsImpersonationContext wic = id.Impersonate())
    >> {
    >> try
    >> {}
    >> catch
    >> {
    >> // in this scenario catching the exception is extemely important -

    > because
    >
    >> of ExceptionFilter vulnerabilty
    >> }
    >> }
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I am using WindowsIdentity.Impersonate() to impersonate using a
    >>> logon token acquired from the Win32 LogonUser account.
    >>>
    >>> I was wondering if it is safe to close the LogonUser handle passed
    >>> to the WindowsIdentity constructor while the WindowsIdentity object
    >>> is still in use, or does the WindowsIdentity object close it when it
    >>> is destroyed. I am not quite sure what is done behind the scenes by
    >>> the WindowsIdentity class in this respect.
    >>>
    >>> EmailID = varnk
    >>> Domain = Diebold.com
    >>> -----------------------------------
     
    Dominick Baier [DevelopMentor], Oct 11, 2005
    #4
  5. Doesn't this depend on your .NET version as well? From what I can tell, in
    1.x, WindowsIdentity has a finalizer (but no IDisposable implementation,
    which is really weird) which does essentially this:

    ~WindowsIdentity()
    {
    if (this.m_userToken != WindowsIdentity.ZeroHandle)
    {
    WindowsIdentity._CloseHandle(this.m_userToken);
    this.m_userToken = WindowsIdentity.ZeroHandle;
    }
    }There is also a method called by the constructor that takes an IntPtr that
    looks like this:

    private void CreateFromToken(IntPtr userToken, string type, bool bClose)
    {
    this.m_type = type;
    if (userToken == WindowsIdentity.ZeroHandle)
    {
    throw new
    ArgumentException(Environment.GetResourceString("Argument_TokenZero"));
    }
    this.m_userToken = WindowsIdentity._DuplicateHandle(userToken,
    bClose);
    if (this.m_userToken == WindowsIdentity.ZeroHandle)
    {
    throw new
    ArgumentException(Environment.GetResourceString("Argument_InvalidToken"));
    }
    }As such, it *appears* that WindowsIdentity duplicates the token handle for
    you and its finalizer closes that. As such, closing the handle returned
    from LogonUser would be a good idea. It would also appear that you can do
    that right after the WindowsIdentity is created since it makes its own copy.

    I'm not really sure about that though. Anyone else?

    Joe K.




    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Ken,
    >
    > internally WindowsIdentity uses the SafeTokenHandle class to close the
    > handle
    >
    > the cleanest approach is:
    >
    > using (WindowsIdentity id = new WindowsIdentity(token))
    > using (WindowsImpersonationContext wic = id.Impersonate())
    > {
    > try
    > {}
    > catch
    > {
    > // in this scenario catching the exception is extemely important -
    > because of ExceptionFilter vulnerabilty
    > }
    > }
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I am using WindowsIdentity.Impersonate() to impersonate using a logon
    >> token acquired from the Win32 LogonUser account.
    >>
    >> I was wondering if it is safe to close the LogonUser handle passed to
    >> the WindowsIdentity constructor while the WindowsIdentity object is
    >> still in use, or does the WindowsIdentity object close it when it is
    >> destroyed. I am not quite sure what is done behind the scenes by the
    >> WindowsIdentity class in this respect.
    >>
    >> EmailID = varnk
    >> Domain = Diebold.com
    >> -----------------------------------

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 11, 2005
    #5
  6. Hello Joe,

    oops - yeah i looked at the source of 2.0

    but in both versions they duplicate the handle - so it is safe and recommended
    to close the handle directly after you passed it in the ctor of WindowsIdentity.

    the big difference between both implementations is (besides many other features)
    that the 2.0 version uses a SafeHandle internally to store the win32 handle.
    SafeHandles are a new feature in 2.0 - they ensure proper cleanup (by using
    critical finalization) and prevent handle recycling attacks.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Doesn't this depend on your .NET version as well? From what I can
    > tell, in 1.x, WindowsIdentity has a finalizer (but no IDisposable
    > implementation, which is really weird) which does essentially this:
    >
    > ~WindowsIdentity()
    > {
    > if (this.m_userToken != WindowsIdentity.ZeroHandle)
    > {
    > WindowsIdentity._CloseHandle(this.m_userToken);
    > this.m_userToken = WindowsIdentity.ZeroHandle;
    > }
    > }There is also a method called by the constructor that takes an IntPtr
    > that
    > looks like this:
    >
    > private void CreateFromToken(IntPtr userToken, string type, bool
    > bClose)
    > {
    > this.m_type = type;
    > if (userToken == WindowsIdentity.ZeroHandle)
    > {
    > throw new
    > ArgumentException(Environment.GetResourceString("Argument_TokenZero"))
    > ;
    > }
    > this.m_userToken = WindowsIdentity._DuplicateHandle(userToken,
    > bClose);
    > if (this.m_userToken == WindowsIdentity.ZeroHandle)
    > {
    > throw new
    > ArgumentException(Environment.GetResourceString("Argument_InvalidToken
    > "));
    > }
    > }As such, it *appears* that WindowsIdentity duplicates the token
    > handle for
    > you and its finalizer closes that. As such, closing the handle
    > returned from LogonUser would be a good idea. It would also appear
    > that you can do that right after the WindowsIdentity is created since
    > it makes its own copy.
    >
    > I'm not really sure about that though. Anyone else?
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Ken,
    >>
    >> internally WindowsIdentity uses the SafeTokenHandle class to close
    >> the handle
    >>
    >> the cleanest approach is:
    >>
    >> using (WindowsIdentity id = new WindowsIdentity(token))
    >> using (WindowsImpersonationContext wic = id.Impersonate())
    >> {
    >> try
    >> {}
    >> catch
    >> {
    >> // in this scenario catching the exception is extemely important -
    >> because of ExceptionFilter vulnerabilty
    >> }
    >> }
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I am using WindowsIdentity.Impersonate() to impersonate using a
    >>> logon token acquired from the Win32 LogonUser account.
    >>>
    >>> I was wondering if it is safe to close the LogonUser handle passed
    >>> to the WindowsIdentity constructor while the WindowsIdentity object
    >>> is still in use, or does the WindowsIdentity object close it when it
    >>> is destroyed. I am not quite sure what is done behind the scenes by
    >>> the WindowsIdentity class in this respect.
    >>>
    >>> EmailID = varnk
    >>> Domain = Diebold.com
    >>> ----------------------------------
     
    Dominick Baier [DevelopMentor], Oct 12, 2005
    #6
  7. Ken Varn

    Ken Varn Guest

    Thanks! That is what I wanted to confirm.

    --
    -----------------------------------
    Ken Varn
    Senior Software Engineer
    Diebold Inc.

    EmailID = varnk
    Domain = Diebold.com
    -----------------------------------
    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Ken,
    >
    > the handle is duplicated in the ctor of WindowsIdentity - that means you
    > should manually close it by calling win32 CloseHandle.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Does WindowsIdentity duplicate the handle on construction? I am
    > > basically wondering if I should close the handle that I passed into
    > > the WindowsIdentity constructor after I create the WindowsIdentity
    > > object.
    > >
    > > EmailID = varnk
    > > Domain = Diebold.com
    > > -----------------------------------
    > > "Dominick Baier [DevelopMentor]"
    > > <>
    > > wrote in message
    > > news:...
    > >> Hello Ken,
    > >>
    > >> internally WindowsIdentity uses the SafeTokenHandle class to close
    > >> the
    > >>

    > > handle
    > >
    > >> the cleanest approach is:
    > >>
    > >> using (WindowsIdentity id = new WindowsIdentity(token))
    > >> using (WindowsImpersonationContext wic = id.Impersonate())
    > >> {
    > >> try
    > >> {}
    > >> catch
    > >> {
    > >> // in this scenario catching the exception is extemely important -

    > > because
    > >
    > >> of ExceptionFilter vulnerabilty
    > >> }
    > >> }
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> I am using WindowsIdentity.Impersonate() to impersonate using a
    > >>> logon token acquired from the Win32 LogonUser account.
    > >>>
    > >>> I was wondering if it is safe to close the LogonUser handle passed
    > >>> to the WindowsIdentity constructor while the WindowsIdentity object
    > >>> is still in use, or does the WindowsIdentity object close it when it
    > >>> is destroyed. I am not quite sure what is done behind the scenes by
    > >>> the WindowsIdentity class in this respect.
    > >>>
    > >>> EmailID = varnk
    > >>> Domain = Diebold.com
    > >>> -----------------------------------

    >
    >
     
    Ken Varn, Oct 12, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Larry Maturo
    Replies:
    1
    Views:
    438
    Jason Newell
    Nov 4, 2005
  2. SRam

    creating Handles

    SRam, Aug 19, 2003, in forum: Perl
    Replies:
    1
    Views:
    1,025
  3. Alex
    Replies:
    3
    Views:
    1,498
    Alvin Bruney
    Dec 2, 2003
  4. Blue Streak
    Replies:
    3
    Views:
    531
    S. Justin Gengo
    Dec 12, 2005
  5. eino
    Replies:
    1
    Views:
    435
    =?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=
    May 8, 2007
Loading...

Share This Page