From 206447a60b86c7c46d28b1fcd671f0d7130f6aae Mon Sep 17 00:00:00 2001
From: DavidXanatos <xanatosdavid@gmail.com>
Date: Wed, 26 Oct 2022 10:01:41 +0200
Subject: [PATCH] 1.5.1

---
 CHANGELOG.md                      | 1 +
 Sandboxie/core/drv/ipc.c          | 6 ++++++
 Sandboxie/core/drv/syscall_open.c | 8 ++++++++
 Sandboxie/install/Templates.ini   | 7 ++-----
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3072aad..9791123c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - fixed issues with Privacy Enhanced box types [#2342](https://github.com/sandboxie-plus/Sandboxie/issues/2342)
 - fixed issue with boxed object directory initialization [#2342](https://github.com/sandboxie-plus/Sandboxie/issues/2342)
 - Sandboxie no longer leaves behind permanent directory objects
+- FIXED SECURITY ISSUE ID-21 AlpcConnectPortEx was not filtered by the driver [#2396](https://github.com/sandboxie-plus/Sandboxie/issues/2396)
 
 
 ## [1.5.0 / 5.60.0] - 2022-10-19
diff --git a/Sandboxie/core/drv/ipc.c b/Sandboxie/core/drv/ipc.c
index 7d725604..7e340f23 100644
--- a/Sandboxie/core/drv/ipc.c
+++ b/Sandboxie/core/drv/ipc.c
@@ -173,6 +173,12 @@ _FX BOOLEAN Ipc_Init(void)
         }
     }
 
+    if (Driver_OsVersion >= DRIVER_WINDOWS_8) {
+
+        if (! Syscall_Set2("AlpcConnectPortEx", Ipc_CheckPortObject))
+            return FALSE;
+    }
+
     //
     // register object filter callbacks on Vista SP1 and later
     //
diff --git a/Sandboxie/core/drv/syscall_open.c b/Sandboxie/core/drv/syscall_open.c
index 3b555555..a59f4204 100644
--- a/Sandboxie/core/drv/syscall_open.c
+++ b/Sandboxie/core/drv/syscall_open.c
@@ -280,6 +280,14 @@ _FX NTSTATUS Syscall_OpenHandle(
         {
             puName = (UNICODE_STRING*)user_args[1];
         }
+        else if (strcmp(syscall_entry->name, "AlpcConnectPortEx") == 0)
+        {
+            POBJECT_ATTRIBUTES pObj = (POBJECT_ATTRIBUTES)user_args[1];
+            if (pObj && pObj->ObjectName)
+            {
+                puName = pObj->ObjectName;
+            }
+        }
         else if ((strcmp(syscall_entry->name, "CreateFile") == 0) ||
             (strcmp(syscall_entry->name, "OpenFile") == 0))
         {
diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini
index 93b3d2f2..ad30ffdb 100644
--- a/Sandboxie/install/Templates.ini
+++ b/Sandboxie/install/Templates.ini
@@ -3556,6 +3556,7 @@ ApproveWinNtSysCall=ConnectPort
 ApproveWinNtSysCall=SecureConnectPort
 ApproveWinNtSysCall=CreatePort
 ApproveWinNtSysCall=AlpcConnectPort
+ApproveWinNtSysCall=AlpcConnectPortEx
 ApproveWinNtSysCall=AlpcCreatePort
 ApproveWinNtSysCall=ImpersonateClientOfPort
 ApproveWinNtSysCall=AlpcImpersonateClientOfPort
@@ -3583,6 +3584,7 @@ ApproveWinNtSysCall=DuplicateObject
 ApproveWinNtSysCall=GetNextProcess
 ApproveWinNtSysCall=GetNextThread
 ApproveWinNtSysCall=DeviceIoControlFile
+#ApproveWinNtSysCall=FsControlFile
 ApproveWinNtSysCall=QuerySystemInformation
 
 ApproveWinNtSysCall=OpenProcessToken
@@ -3615,8 +3617,6 @@ ApproveWinNtSysCall=SetInformationJobObject
 
 ApproveWinNtSysCall=DeleteFile
 
-ApproveWinNtSysCall=AlpcConnectPort
-ApproveWinNtSysCall=AlpcConnectPortEx
 ApproveWinNtSysCall=AlpcAcceptConnectPort
 ApproveWinNtSysCall=AlpcCreateSecurityContext
 
@@ -3635,9 +3635,6 @@ ApproveWinNtSysCall=OpenSymbolicLinkObject
 ApproveWinNtSysCall=CreateUserProcess
 #ApproveWinNtSysCall=CreateThreadEx
 
-ApproveWinNtSysCall=DeviceIoControlFile
-#ApproveWinNtSysCall=FsControlFile
-
 ApproveWinNtSysCall=QueryAttributesFile
 ApproveWinNtSysCall=QueryFullAttributesFile