From 0e2efec8cbac4b2d5a32942ea700865ed22a3626 Mon Sep 17 00:00:00 2001 From: DavidXanatos Date: Thu, 24 Mar 2022 20:12:07 +0100 Subject: [PATCH] 1.0.15 --- CHANGELOG.md | 9 +++++++++ Sandboxie/common/my_version.h | 4 ++-- Sandboxie/common/ntproto.h | 6 ++++++ Sandboxie/core/dll/ipc.c | 33 +++++++++++++++++++++++++++++++++ Sandboxie/core/drv/file.c | 18 ++++++++++++++++++ SandboxiePlus/version.h | 2 +- 6 files changed, 69 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4c12377..f5fbef71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ This project adheres to [Semantic Versioning](http://semver.org/). + +## [1.0.15 / 5.55.15] - 2022-03-24 + +### Fixed +- fixed memory corruption introduced in the last build causing chrome to sometimes crash. +- FIXED SECURITY ISSUE: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok) + + + ## [1.0.14 / 5.55.14] - 2022-03-23 ### Added diff --git a/Sandboxie/common/my_version.h b/Sandboxie/common/my_version.h index 688a67ba..2024fc21 100644 --- a/Sandboxie/common/my_version.h +++ b/Sandboxie/common/my_version.h @@ -21,8 +21,8 @@ #ifndef _MY_VERSION_H #define _MY_VERSION_H -#define MY_VERSION_BINARY 5,55,14 -#define MY_VERSION_STRING "5.55.14" +#define MY_VERSION_BINARY 5,55,15 +#define MY_VERSION_STRING "5.55.15" #define MY_VERSION_COMPAT "5.55.0" // this refers to the driver ABI compatibility // These #defines are used by either Resource Compiler or NSIS installer diff --git a/Sandboxie/common/ntproto.h b/Sandboxie/common/ntproto.h index 625c3af6..4067d329 100644 --- a/Sandboxie/common/ntproto.h +++ b/Sandboxie/common/ntproto.h @@ -511,6 +511,12 @@ typedef NTSTATUS (*P_NtImpersonateThread)( IN HANDLE ClientThreadHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); +typedef NTSTATUS (*P_NtCreateSymbolicLinkObject)( + PHANDLE pHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PUNICODE_STRING DestinationName); + typedef NTSTATUS (*P_NtLoadDriver)( IN PUNICODE_STRING RegistryPath); diff --git a/Sandboxie/core/dll/ipc.c b/Sandboxie/core/dll/ipc.c index 42723ac9..a40a39b8 100644 --- a/Sandboxie/core/dll/ipc.c +++ b/Sandboxie/core/dll/ipc.c @@ -244,6 +244,14 @@ static NTSTATUS Ipc_NtOpenSection( //--------------------------------------------------------------------------- +static NTSTATUS Ipc_NtCreateSymbolicLinkObject ( + PHANDLE pHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PUNICODE_STRING DestinationName); + + +//--------------------------------------------------------------------------- static P_NtCreatePort __sys_NtCreatePort = NULL; static P_NtConnectPort __sys_NtConnectPort = NULL; @@ -269,6 +277,9 @@ static P_NtCreateSemaphore __sys_NtCreateSemaphore = NULL; static P_NtOpenSemaphore __sys_NtOpenSemaphore = NULL; static P_NtCreateSection __sys_NtCreateSection = NULL; static P_NtOpenSection __sys_NtOpenSection = NULL; + +static P_NtCreateSymbolicLinkObject __sys_NtCreateSymbolicLinkObject= NULL; + static P_NtImpersonateAnonymousToken __sys_NtImpersonateAnonymousToken = NULL; @@ -371,6 +382,8 @@ _FX BOOLEAN Ipc_Init(void) SBIEDLL_HOOK(Ipc_,NtCreateSection); SBIEDLL_HOOK(Ipc_,NtOpenSection); + SBIEDLL_HOOK(Ipc_,NtCreateSymbolicLinkObject); + // OriginalToken BEGIN if (!Dll_CompartmentMode && !SbieApi_QueryConfBool(NULL, L"OriginalToken", FALSE)) // OriginalToken END @@ -3745,3 +3758,23 @@ _FX ULONG Ipc_NtQueryObjectName(UNICODE_STRING *ObjectName, ULONG MaxLen) return 0; } + + +//--------------------------------------------------------------------------- +// Ipc_NtCreateSymbolicLinkObject +//--------------------------------------------------------------------------- + + +_FX NTSTATUS Ipc_NtCreateSymbolicLinkObject( + PHANDLE pHandle, ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING DestinationName) +{ + WCHAR strW[8192]; + Sbie_snwprintf(strW, 8192, L"NtCreateSymbolicLinkObject, %s", DestinationName); + SbieApi_MonitorPut2(MONITOR_OTHER | MONITOR_TRACE, strW, FALSE); + + SbieApi_Log(2205, L"NtCreateSymbolicLinkObject"); + + return STATUS_PRIVILEGE_NOT_HELD; + //return __sys_NtCreateSymbolicLinkObject(pHandle, DesiredAccess, ObjectAttributes, DestinationName); +} \ No newline at end of file diff --git a/Sandboxie/core/drv/file.c b/Sandboxie/core/drv/file.c index 229a8cfc..35573b7c 100644 --- a/Sandboxie/core/drv/file.c +++ b/Sandboxie/core/drv/file.c @@ -104,6 +104,9 @@ static NTSTATUS File_Generic_MyParseProc( static NTSTATUS File_CreatePagingFile( PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); +static NTSTATUS File_CreateSymbolicLinkObject( + PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); + static void File_ReplaceTokenIfFontRequest( ACCESS_STATE *AccessState, PDEVICE_OBJECT DeviceObject, UNICODE_STRING *FileName, BOOLEAN* pbSetDirty); @@ -221,6 +224,9 @@ _FX BOOLEAN File_Init(void) if (! Syscall_Set1("CreatePagingFile", File_CreatePagingFile)) return FALSE; + if (! Syscall_Set1("CreateSymbolicLinkObject", File_CreateSymbolicLinkObject)) + return FALSE; + // // set API functions // @@ -1712,6 +1718,18 @@ _FX NTSTATUS File_CreatePagingFile( } +//--------------------------------------------------------------------------- +// File_CreateSymbolicLinkObject +//--------------------------------------------------------------------------- + + +_FX NTSTATUS File_CreateSymbolicLinkObject( + PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args) +{ + return STATUS_PRIVILEGE_NOT_HELD; +} + + //--------------------------------------------------------------------------- // File_ReplaceTokenIfFontRequest //--------------------------------------------------------------------------- diff --git a/SandboxiePlus/version.h b/SandboxiePlus/version.h index 82952ed2..14789b61 100644 --- a/SandboxiePlus/version.h +++ b/SandboxiePlus/version.h @@ -2,7 +2,7 @@ #define VERSION_MJR 1 #define VERSION_MIN 0 -#define VERSION_REV 14 +#define VERSION_REV 15 #define VERSION_UPD 0 #ifndef STR