LogMeIn Driver Handle Duplication Vulnerability Leading to Privilege Escalation
Original Post:
We discussed this vulnerability during Episode 242 on 13 February 2024
The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with PROCESS_DUP_HANDLE
one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.