Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix
The fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies. The fix was to add a check that the target file passed isn’t writable. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following: 1. Open the file for write access. 2. Reopen another handle to the file for SYNCHRONIZE access. 3. Set cached signing level through the handle opened in 2. 4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.