FreeConsole API handle UAF/recycling issue

[dmex]

Windows build number

10.0.10240.0

Other Software

N/A

Steps to reproduce

Windows 10 and 11 have an issue where the FreeConsole function closes the StandardInput, StandardOutput, StandardError and ConsoleHandle fields in the PEB but doesn't zero these values.

Windows recycles handle identifiers and since these values are not zeroed when they're closed, they start referencing an entirely different handle.

Expected Behavior

The FreeConsole function zero the StandardInput, StandardOutput, StandardError and ConsoleHandle fields in the PEB after closing the handle.

Actual Behavior

The FreeConsole function closes the handles but doesn't zero the StandardInput, StandardOutput, StandardError and ConsoleHandle fields in the PEB causing a use-after-free scenario.

Sample

This sample project reproduces two separate issues:
Project1.zip

You should hit this breakpoint when running the sample:
Screenshot

Otherwise if you hit this breakpoint from kernelbase/msvcrt then run the sample a few more times. kernelbase/msvcrt is calling GetStdHandle and unexpectedly referencing a process handle - from the sample - due to FreeConsole not zeroing the StandardInput, StandardOutput, StandardError and ConsoleHandle fields in the PEB:

It's the same issue but less obvious.

[dmex]

@benhillis from email convo

[DHowett]

Good catch, thanks! We'll probably need to track somewhere which handles we did assign to stdin/out/err so that we don't blank user-overwritten ones.

[DHowett]

This is one of the very few issues for which we do not have a Product- label (since it's in conclnt the console client library)