The CreateProcessAsUser function is implemented by passing a token handle via a special Attribute (value 0x60002) to the underlying NtCreateUserProcess system call. All documentation indicates that this handle should be a primary token, the CreateProcessAsUser function will attempt to duplicate the token if necessary to make a primary token. The particular issue in this case is the NtCreateUserProcess and the functions it calls, such as PspReferenceTokenForNewProcess and SeAssignPrimaryToken never verify that it is a primary token. The only requirement on the token is the handle is opened with TOKEN_ASSIGN_PRIMARY_TOKEN privilege, which any impersonation token is granted.
more here..........https://code.google.com/p/google-security-research/issues/detail?id=198
more here..........https://code.google.com/p/google-security-research/issues/detail?id=198