Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-03 18:35:41 +00:00
Code Issues Projects Releases Packages Wiki Activity

[LSA][SECUR32] Check for untrusted clients

Browse source 
Calls  to LsapCallAuthenticationPackage are routed to LsaApCallPackageUntrusted instead of LsaApCallPackage for  untrusted clients.
This commit is contained in:
Eric Kohl 2019-09-17 12:58:11 +02:00
parent ba43d1e839
commit a66c7d2ecc
5 changed files with 83 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

23
dll/win32/lsasrv/authpackage.c
View file

@ -585,13 +585,22 @@ LsapCallAuthenticationPackage(PLSA_API_MSG RequestMsg,
} }
} }
Status = Package->LsaApCallPackage((PLSA_CLIENT_REQUEST)LogonContext, if (LogonContext->Untrusted)
LocalBuffer, Status = Package->LsaApCallPackageUntrusted((PLSA_CLIENT_REQUEST)LogonContext,
RequestMsg->CallAuthenticationPackage.Request.ProtocolSubmitBuffer, LocalBuffer,
RequestMsg->CallAuthenticationPackage.Request.SubmitBufferLength, RequestMsg->CallAuthenticationPackage.Request.ProtocolSubmitBuffer,
&RequestMsg->CallAuthenticationPackage.Reply.ProtocolReturnBuffer, RequestMsg->CallAuthenticationPackage.Request.SubmitBufferLength,
&RequestMsg->CallAuthenticationPackage.Reply.ReturnBufferLength, &RequestMsg->CallAuthenticationPackage.Reply.ProtocolReturnBuffer,
&RequestMsg->CallAuthenticationPackage.Reply.ProtocolStatus); &RequestMsg->CallAuthenticationPackage.Reply.ReturnBufferLength,
&RequestMsg->CallAuthenticationPackage.Reply.ProtocolStatus);
else
Status = Package->LsaApCallPackage((PLSA_CLIENT_REQUEST)LogonContext,
LocalBuffer,
RequestMsg->CallAuthenticationPackage.Request.ProtocolSubmitBuffer,
RequestMsg->CallAuthenticationPackage.Request.SubmitBufferLength,
&RequestMsg->CallAuthenticationPackage.Reply.ProtocolReturnBuffer,
&RequestMsg->CallAuthenticationPackage.Reply.ReturnBufferLength,
&RequestMsg->CallAuthenticationPackage.Reply.ProtocolStatus);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
TRACE("Package->LsaApCallPackage() failed (Status 0x%08lx)\n", Status); TRACE("Package->LsaApCallPackage() failed (Status 0x%08lx)\n", Status);

64
dll/win32/lsasrv/authport.c
View file

@ -35,6 +35,64 @@ LsapDeregisterLogonProcess(PLSA_API_MSG RequestMsg,
} }
static
BOOL
LsapIsTrustedClient(
_In_ HANDLE ProcessHandle)
{
LUID TcbPrivilege = {SE_TCB_PRIVILEGE, 0};
HANDLE TokenHandle = NULL;
PTOKEN_PRIVILEGES Privileges = NULL;
ULONG Size, i;
BOOL Trusted = FALSE;
NTSTATUS Status;
Status = NtOpenProcessToken(ProcessHandle,
TOKEN_QUERY,
&TokenHandle);
if (!NT_SUCCESS(Status))
goto done;
Status = NtQueryInformationToken(TokenHandle,
TokenPrivileges,
NULL,
0,
&Size);
if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_TOO_SMALL)
goto done;
Privileges = RtlAllocateHeap(RtlGetProcessHeap(), 0, Size);
if (Privileges == NULL)
goto done;
Status = NtQueryInformationToken(TokenHandle,
TokenPrivileges,
Privileges,
Size,
&Size);
if (!NT_SUCCESS(Status))
goto done;
for (i = 0; i < Privileges->PrivilegeCount; i++)
{
if (RtlEqualLuid(&Privileges->Privileges[i].Luid, &TcbPrivilege))
{
Trusted = TRUE;
break;
}
}
done:
if (Privileges != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Privileges);
if (TokenHandle != NULL)
NtClose(TokenHandle);
return Trusted;
}
static NTSTATUS static NTSTATUS
LsapCheckLogonProcess(PLSA_API_MSG RequestMsg, LsapCheckLogonProcess(PLSA_API_MSG RequestMsg,
PLSAP_LOGON_CONTEXT *LogonContext) PLSAP_LOGON_CONTEXT *LogonContext)
@ -55,7 +113,7 @@ LsapCheckLogonProcess(PLSA_API_MSG RequestMsg,
NULL); NULL);
Status = NtOpenProcess(&ProcessHandle, Status = NtOpenProcess(&ProcessHandle,
PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE, PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
&ObjectAttributes, &ObjectAttributes,
&RequestMsg->h.ClientId); &RequestMsg->h.ClientId);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
@ -77,6 +135,10 @@ LsapCheckLogonProcess(PLSA_API_MSG RequestMsg,
TRACE("New LogonContext: %p\n", Context); TRACE("New LogonContext: %p\n", Context);
Context->ClientProcessHandle = ProcessHandle; Context->ClientProcessHandle = ProcessHandle;
Context->Untrusted = RequestMsg->ConnectInfo.Untrusted;
if (Context->Untrusted == FALSE)
Context->Untrusted = LsapIsTrustedClient(ProcessHandle);
*LogonContext = Context; *LogonContext = Context;

2
dll/win32/lsasrv/lsasrv.h
View file

@ -28,6 +28,7 @@
#include <ndk/obfuncs.h> #include <ndk/obfuncs.h>
#include <ndk/psfuncs.h> #include <ndk/psfuncs.h>
#include <ndk/rtlfuncs.h> #include <ndk/rtlfuncs.h>
#include <ndk/sefuncs.h>
#include <ndk/ketypes.h> #include <ndk/ketypes.h>
#include <ndk/setypes.h> #include <ndk/setypes.h>
@ -78,6 +79,7 @@ typedef struct _LSAP_LOGON_CONTEXT
LIST_ENTRY Entry; LIST_ENTRY Entry;
HANDLE ClientProcessHandle; HANDLE ClientProcessHandle;
HANDLE ConnectionHandle; HANDLE ConnectionHandle;
BOOL Untrusted;
} LSAP_LOGON_CONTEXT, *PLSAP_LOGON_CONTEXT; } LSAP_LOGON_CONTEXT, *PLSAP_LOGON_CONTEXT;
typedef struct _SAMPR_ULONG_ARRAY typedef struct _SAMPR_ULONG_ARRAY

1
dll/win32/secur32/lsalpc.c
View file

@ -174,6 +174,7 @@ LsaConnectUntrusted(
ConnectInfoLength); ConnectInfoLength);
ConnectInfo.CreateContext = TRUE; ConnectInfo.CreateContext = TRUE;
ConnectInfo.Untrusted = TRUE;
Status = NtConnectPort(LsaHandle, Status = NtConnectPort(LsaHandle,
&PortName, &PortName,

1
sdk/include/reactos/subsys/lsass/lsass.h
View file

@ -35,6 +35,7 @@ typedef struct _LSA_CONNECTION_INFO
ULONG Length; ULONG Length;
CHAR LogonProcessNameBuffer[LSASS_MAX_LOGON_PROCESS_NAME_LENGTH + 1]; CHAR LogonProcessNameBuffer[LSASS_MAX_LOGON_PROCESS_NAME_LENGTH + 1];
BOOL CreateContext; BOOL CreateContext;
BOOL Untrusted;
} LSA_CONNECTION_INFO, *PLSA_CONNECTION_INFO; } LSA_CONNECTION_INFO, *PLSA_CONNECTION_INFO;