1.0.15

CHANGELOG.md

@@ -4,6 +4,15 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 
 
+
+## [1.0.15 / 5.55.15] - 2022-03-24
+
+### Fixed
+- fixed memory corruption introduced in the last build causing chrome to sometimes crash.
+- FIXED SECURITY ISSUE: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)
+
+
+
 ## [1.0.14 / 5.55.14] - 2022-03-23
 
 ### Added

Sandboxie/common/my_version.h

@@ -21,8 +21,8 @@
 #ifndef _MY_VERSION_H
 #define _MY_VERSION_H
 
-#define MY_VERSION_BINARY       5,55,14
-#define MY_VERSION_STRING       "5.55.14"
+#define MY_VERSION_BINARY       5,55,15
+#define MY_VERSION_STRING       "5.55.15"
 #define MY_VERSION_COMPAT		"5.55.0" // this refers to the driver ABI compatibility
 
 // These #defines are used by either Resource Compiler or NSIS installer

Sandboxie/common/ntproto.h

@@ -511,6 +511,12 @@ typedef NTSTATUS (*P_NtImpersonateThread)(
     IN  HANDLE ClientThreadHandle,
     IN  PSECURITY_QUALITY_OF_SERVICE SecurityQos);
 
+typedef NTSTATUS (*P_NtCreateSymbolicLinkObject)(
+    PHANDLE pHandle,
+    ACCESS_MASK DesiredAccess,
+    POBJECT_ATTRIBUTES ObjectAttributes,
+    PUNICODE_STRING DestinationName);
+
 typedef NTSTATUS (*P_NtLoadDriver)(
     IN  PUNICODE_STRING RegistryPath);
 

Sandboxie/core/dll/ipc.c

@@ -244,6 +244,14 @@ static NTSTATUS Ipc_NtOpenSection(
 
 //---------------------------------------------------------------------------
 
+static NTSTATUS Ipc_NtCreateSymbolicLinkObject (
+    PHANDLE pHandle,
+    ACCESS_MASK DesiredAccess,
+    POBJECT_ATTRIBUTES ObjectAttributes,
+    PUNICODE_STRING DestinationName);
+
+
+//---------------------------------------------------------------------------
 
 static P_NtCreatePort               __sys_NtCreatePort              = NULL;
 static P_NtConnectPort              __sys_NtConnectPort             = NULL;
@@ -269,6 +277,9 @@ static P_NtCreateSemaphore          __sys_NtCreateSemaphore         = NULL;
 static P_NtOpenSemaphore            __sys_NtOpenSemaphore           = NULL;
 static P_NtCreateSection            __sys_NtCreateSection           = NULL;
 static P_NtOpenSection              __sys_NtOpenSection             = NULL;
+
+static P_NtCreateSymbolicLinkObject __sys_NtCreateSymbolicLinkObject= NULL;
+
 static P_NtImpersonateAnonymousToken
                                     __sys_NtImpersonateAnonymousToken
                                                                     = NULL;
@@ -371,6 +382,8 @@ _FX BOOLEAN Ipc_Init(void)
     SBIEDLL_HOOK(Ipc_,NtCreateSection);
     SBIEDLL_HOOK(Ipc_,NtOpenSection);
 
+    SBIEDLL_HOOK(Ipc_,NtCreateSymbolicLinkObject);
+
     // OriginalToken BEGIN
     if (!Dll_CompartmentMode && !SbieApi_QueryConfBool(NULL, L"OriginalToken", FALSE))
     // OriginalToken END
@@ -3745,3 +3758,23 @@ _FX ULONG Ipc_NtQueryObjectName(UNICODE_STRING *ObjectName, ULONG MaxLen)
 
     return 0;
 }
+
+
+//---------------------------------------------------------------------------
+// Ipc_NtCreateSymbolicLinkObject
+//---------------------------------------------------------------------------
+
+
+_FX NTSTATUS Ipc_NtCreateSymbolicLinkObject(
+    PHANDLE pHandle, ACCESS_MASK DesiredAccess,
+    POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING DestinationName)
+{
+    WCHAR strW[8192];
+	Sbie_snwprintf(strW, 8192, L"NtCreateSymbolicLinkObject, %s", DestinationName);
+	SbieApi_MonitorPut2(MONITOR_OTHER | MONITOR_TRACE, strW, FALSE);
+
+    SbieApi_Log(2205, L"NtCreateSymbolicLinkObject");
+
+    return STATUS_PRIVILEGE_NOT_HELD;
+    //return __sys_NtCreateSymbolicLinkObject(pHandle, DesiredAccess, ObjectAttributes, DestinationName);
+}

Sandboxie/core/drv/file.c

@@ -104,6 +104,9 @@ static NTSTATUS File_Generic_MyParseProc(
 static NTSTATUS File_CreatePagingFile(
     PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
 
+static NTSTATUS File_CreateSymbolicLinkObject(
+    PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
+
 static void File_ReplaceTokenIfFontRequest(
     ACCESS_STATE *AccessState,
     PDEVICE_OBJECT DeviceObject, UNICODE_STRING *FileName, BOOLEAN* pbSetDirty);
@@ -221,6 +224,9 @@ _FX BOOLEAN File_Init(void)
     if (! Syscall_Set1("CreatePagingFile", File_CreatePagingFile))
         return FALSE;
 
+    if (! Syscall_Set1("CreateSymbolicLinkObject", File_CreateSymbolicLinkObject))
+        return FALSE;
+
     //
     // set API functions
     //
@@ -1712,6 +1718,18 @@ _FX NTSTATUS File_CreatePagingFile(
 }
 
 
+//---------------------------------------------------------------------------
+// File_CreateSymbolicLinkObject
+//---------------------------------------------------------------------------
+
+
+_FX NTSTATUS File_CreateSymbolicLinkObject(
+    PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args)
+{
+    return STATUS_PRIVILEGE_NOT_HELD;
+}
+
+
 //---------------------------------------------------------------------------
 // File_ReplaceTokenIfFontRequest
 //---------------------------------------------------------------------------

SandboxiePlus/version.h

@@ -2,7 +2,7 @@
 
 #define VERSION_MJR		1
 #define VERSION_MIN 	0
-#define VERSION_REV 	14
+#define VERSION_REV 	15
 #define VERSION_UPD 	0
 
 #ifndef STR