Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-08 06:33:00 +00:00
Code Issues Projects Releases Packages Wiki Activity

[MSV1_0] LsaApLogonUserEx2: use RtlRunDecodeUnicodeString to decode password

Browse source
This commit is contained in:
Andreas Maier 2020-02-16 11:05:25 +01:00 committed by Thomas Faber
parent 72fa935128
commit 782ff23261
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
2 changed files with 45 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
dll/win32/msv1_0/msv1_0.c
View file

@ -1193,6 +1193,8 @@ LsaApLogonUserEx2(IN PLSA_CLIENT_REQUEST ClientRequest,
LARGE_INTEGER PasswordLastSet; LARGE_INTEGER PasswordLastSet;
DWORD ComputerNameSize; DWORD ComputerNameSize;
BOOL SpecialAccount = FALSE; BOOL SpecialAccount = FALSE;
UCHAR LogonPassHash;
PUNICODE_STRING ErasePassword = NULL;
TRACE("LsaApLogonUserEx2()\n"); TRACE("LsaApLogonUserEx2()\n");
@ -1268,6 +1270,18 @@ LsaApLogonUserEx2(IN PLSA_CLIENT_REQUEST ClientRequest,
Status = RtlValidateUnicodeString(0, &LogonInfo->UserName); Status = RtlValidateUnicodeString(0, &LogonInfo->UserName);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
return STATUS_INVALID_PARAMETER; return STATUS_INVALID_PARAMETER;
/* MS docs says max length is 0xFF bytes. But thats not the full story:
*
* A Quote from https://groups.google.com/forum/#!topic/microsoft.public.win32.programmer.kernel/eFGcCo_ZObk:
* "... At least on my WinXP SP2. Domain and UserName are passed
* in clear text, but the Password is NOT. ..."
*
* If the higher byte of length != 0 we have to use RtlRunDecodeUnicodeString.
*/
LogonPassHash = (LogonInfo->Password.Length >> 8) & 0xFF;
LogonInfo->Password.Length = LogonInfo->Password.Length & 0xFF;
/* Password is optional and can be an empty string */ /* Password is optional and can be an empty string */
if (LogonInfo->Password.Length) if (LogonInfo->Password.Length)
{ {
@ -1281,6 +1295,15 @@ LsaApLogonUserEx2(IN PLSA_CLIENT_REQUEST ClientRequest,
LogonInfo->Password.MaximumLength = 0; LogonInfo->Password.MaximumLength = 0;
} }
/* Decode password */
if (LogonPassHash > 0)
{
RtlRunDecodeUnicodeString(LogonPassHash, &LogonInfo->Password);
}
/* ErasePassword will be "erased" before we return */
ErasePassword = &LogonInfo->Password;
Status = RtlValidateUnicodeString(0, &LogonInfo->Password); Status = RtlValidateUnicodeString(0, &LogonInfo->Password);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
return STATUS_INVALID_PARAMETER; return STATUS_INVALID_PARAMETER;
@ -1574,6 +1597,12 @@ LsaApLogonUserEx2(IN PLSA_CLIENT_REQUEST ClientRequest,
} }
done: done:
/* Erase password */
if (ErasePassword)
{
RtlEraseUnicodeString(ErasePassword);
}
/* Update the logon time/count or the bad password time/count */ /* Update the logon time/count or the bad password time/count */
if ((UserHandle != NULL) && if ((UserHandle != NULL) &&
(Status == STATUS_SUCCESS || Status == STATUS_WRONG_PASSWORD)) (Status == STATUS_SUCCESS || Status == STATUS_WRONG_PASSWORD))

16
sdk/include/ndk/rtlfuncs.h
View file

@ -2435,6 +2435,22 @@ RtlFreeBuffer(
Buffer->Size = Buffer->StaticSize; Buffer->Size = Buffer->StaticSize;
} }
NTSYSAPI
VOID
NTAPI
RtlRunEncodeUnicodeString(
_Inout_ PUCHAR Hash,
_Inout_ PUNICODE_STRING String
);
NTSYSAPI
VOID
NTAPI
RtlRunDecodeUnicodeString(
_In_ UCHAR Hash,
_Inout_ PUNICODE_STRING String
);
#endif /* NTOS_MODE_USER */ #endif /* NTOS_MODE_USER */
// //