From 4cae349811a5737127113c3135f9e2d3f3d5e4fb Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Sat, 17 Jul 2021 16:26:16 +0200 Subject: [PATCH] [ADVAPI32][SERVICES] Use the context handle to encrypt and decrypt service passwords --- base/system/services/config.c | 3 ++- base/system/services/rpcserver.c | 8 +++++--- base/system/services/services.h | 1 + dll/win32/advapi32/service/scm.c | 15 ++++++++++----- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/base/system/services/config.c b/base/system/services/config.c index a4b809b76f7..db1b0dafc79 100644 --- a/base/system/services/config.c +++ b/base/system/services/config.c @@ -699,6 +699,7 @@ done: DWORD ScmDecryptPassword( + _In_ PVOID ContextHandle, _In_ PBYTE pPassword, _In_ DWORD dwPasswordSize, _Out_ PWSTR *pClearTextPassword) @@ -709,7 +710,7 @@ ScmDecryptPassword( NTSTATUS Status; /* Get the session key */ - Status = SystemFunction028(NULL, + Status = SystemFunction028(ContextHandle, SessionKey); if (!NT_SUCCESS(Status)) { diff --git a/base/system/services/rpcserver.c b/base/system/services/rpcserver.c index 136d86b1e50..741dc1c84e1 100644 --- a/base/system/services/rpcserver.c +++ b/base/system/services/rpcserver.c @@ -4,7 +4,7 @@ * FILE: base/system/services/rpcserver.c * PURPOSE: RPC server interface for the advapi32 calls * COPYRIGHT: Copyright 2005-2006 Eric Kohl - * Copyright 2006-2007 Hervé Poussineau + * Copyright 2006-2007 HervĂ© Poussineau * Copyright 2007 Ged Murphy */ @@ -2208,7 +2208,8 @@ RChangeServiceConfigW( if (*(LPWSTR)lpPassword != 0) { /* Decrypt the password */ - dwError = ScmDecryptPassword(lpPassword, + dwError = ScmDecryptPassword(hService, + lpPassword, dwPwSize, &lpClearTextPassword); if (dwError != ERROR_SUCCESS) @@ -2609,7 +2610,8 @@ RCreateServiceW( if (lpPassword != NULL && *(LPWSTR)lpPassword != 0) { /* Decrypt the password */ - dwError = ScmDecryptPassword(lpPassword, + dwError = ScmDecryptPassword(hSCManager, + lpPassword, dwPwSize, &lpClearTextPassword); if (dwError != ERROR_SUCCESS) diff --git a/base/system/services/services.h b/base/system/services/services.h index 6a9dd5d3783..cbaa4a93329 100644 --- a/base/system/services/services.h +++ b/base/system/services/services.h @@ -155,6 +155,7 @@ ScmDeleteRegKey( DWORD ScmDecryptPassword( + _In_ PVOID ContextHandle, _In_ PBYTE pPassword, _In_ DWORD dwPasswordSize, _Out_ PWSTR *pDecryptedPassword); diff --git a/dll/win32/advapi32/service/scm.c b/dll/win32/advapi32/service/scm.c index f373f311add..621e5753247 100644 --- a/dll/win32/advapi32/service/scm.c +++ b/dll/win32/advapi32/service/scm.c @@ -171,6 +171,7 @@ ScmRpcStatusToWinError(RPC_STATUS Status) static DWORD ScmEncryptPassword( + _In_ PVOID ContextHandle, _In_ PCWSTR pClearTextPassword, _Out_ PBYTE *pEncryptedPassword, _Out_ PDWORD pEncryptedPasswordSize) @@ -181,7 +182,7 @@ ScmEncryptPassword( NTSTATUS Status; /* Get the session key */ - Status = SystemFunction028(NULL, + Status = SystemFunction028(ContextHandle, SessionKey); if (!NT_SUCCESS(Status)) { @@ -417,7 +418,8 @@ ChangeServiceConfigA(SC_HANDLE hService, (int)(strlen(lpPassword) + 1)); /* Encrypt the unicode password */ - dwError = ScmEncryptPassword(lpPasswordW, + dwError = ScmEncryptPassword(hService, + lpPasswordW, &lpEncryptedPassword, &dwPasswordSize); if (dwError != ERROR_SUCCESS) @@ -517,7 +519,8 @@ ChangeServiceConfigW(SC_HANDLE hService, if (lpPassword != NULL) { - dwError = ScmEncryptPassword(lpPassword, + dwError = ScmEncryptPassword(hService, + lpPassword, &lpEncryptedPassword, &dwPasswordSize); if (dwError != ERROR_SUCCESS) @@ -742,7 +745,8 @@ CreateServiceA(SC_HANDLE hSCManager, (int)(strlen(lpPassword) + 1)); /* Encrypt the password */ - dwError = ScmEncryptPassword(lpPasswordW, + dwError = ScmEncryptPassword(hSCManager, + lpPasswordW, &lpEncryptedPassword, &dwPasswordSize); if (dwError != ERROR_SUCCESS) @@ -856,7 +860,8 @@ CreateServiceW(SC_HANDLE hSCManager, if (lpPassword != NULL) { /* Encrypt the password */ - dwError = ScmEncryptPassword(lpPassword, + dwError = ScmEncryptPassword(hSCManager, + lpPassword, &lpEncryptedPassword, &dwPasswordSize); if (dwError != ERROR_SUCCESS)