This commit is contained in:
DavidXanatos 2021-12-28 13:04:43 +01:00
parent 8a2e8435a7
commit 4d3648ba9c
6 changed files with 63 additions and 23 deletions

View File

@ -19,7 +19,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Fixed
- fixed box initialization issue in privacy mode [#1469](https://github.com/sandboxie-plus/Sandboxie/issues/1469)
- fixed issue creating shortcuts introduced in a recent build [#1471](https://github.com/sandboxie-plus/Sandboxie/issues/1471)
- fixed access issues in privacy enhanced boxes
- fixed variouse issues in privacy enhanced boxes and rule specificity
- fixed issue with SeAccessCheckByType
### Removed
- removed obsolete SkyNetRootKit detection from 32 bit build

View File

@ -543,15 +543,22 @@ _FX BOOLEAN Com_IsClosedClsid(REFCLSID rclsid)
0x66, 0xf7, 0xe1, 0x1b, 0x36, 0x55, 0xd1, 0x11,
0xb7, 0x26, 0x00, 0xc0, 0x4f, 0xb9, 0x26, 0xaf };
if (memcmp(rclsid, EventSystem, 16) == 0)
return TRUE;
// moved to templates.ini
//static const UCHAR PinToStartScreen[16] = { // {470C0EBD-5D73-4D58-9CED-E91E22E23282}
// 0xbd, 0x0e, 0x0c, 0x47, 0x73, 0x5d, 0x58, 0x4d,
// 0x9c, 0xed, 0xe9, 0x1e, 0x22, 0xe2, 0x32, 0x82
//};
if (memcmp(rclsid, EventSystemTier2, 16) == 0)
return TRUE;
static const UCHAR* ClosedIDs[] = { EventSystem, EventSystemTier2/*, PinToStartScreen*/ };
ULONG index;
GUID* guid;
for (index = 0; index < ARRAYSIZE(ClosedIDs); ++index) {
if (memcmp(rclsid, ClosedIDs[index], 16) == 0)
return TRUE;
}
//
// initialize list of user-configured CLSID blocks
// Note: the service threads everythign not explicitly open as closed anyways

View File

@ -1906,7 +1906,7 @@ _FX UINT Proc_WinExec(LPCSTR lpCmdLine, UINT uCmdShow)
memzero(&pi, sizeof(PROCESS_INFORMATION));
ok = CreateProcessA(
ok = CreateProcessA(
NULL, (char *)lpCmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
if (ok) {

View File

@ -921,10 +921,13 @@ RPC_STATUS RPC_ENTRY RpcRt_RpcStringBindingComposeW(TCHAR *ObjUuid,TCHAR *ProtSe
Scm_Start_Sppsvc();
}
// we must block this in Win 10 to prevent r-click context menu hang in Explorer
else if (ObjUuid && (!_wcsicmp(ObjUuid, UUID_UserMgrCli)))
{
return STATUS_ACCESS_DENIED;
}
// note: this breaks otehr things but we need it,
// so instead we block the {470C0EBD-5D73-4D58-9CED-E91E22E23282} Pin To Start Screen verb handler;
// inside Com_CoCreateInstance
//else if (ObjUuid && (!_wcsicmp(ObjUuid, UUID_UserMgrCli)))
//{
// return STATUS_ACCESS_DENIED;
//}
return __sys_RpcStringBindingComposeW(ObjUuid,ProtSeq,NetworkAddr,EndPoint,Options,StringBinding);
}

View File

@ -887,7 +887,7 @@ _FX NTSTATUS Secure_NtSetSecurityObject(
//---------------------------------------------------------------------------
_FX void Ldr_TestToken(HANDLE token, PHANDLE hTokenReal)
_FX void Ldr_TestToken(HANDLE token, PHANDLE hTokenReal, BOOLEAN bImpersonate)
{
if (Dll_OsBuild < 9600) // this magic values are available only from windows 8.1 onwards
return;
@ -898,18 +898,44 @@ _FX void Ldr_TestToken(HANDLE token, PHANDLE hTokenReal)
// OriginalToken END
if ((LONG_PTR)token == LDR_TOKEN_PRIMARY) {
NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, hTokenReal);
NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY | (bImpersonate ? TOKEN_DUPLICATE : 0), hTokenReal);
}
else if ((LONG_PTR)token == LDR_TOKEN_IMPERSONATION) {
NtOpenThreadToken(NtCurrentThread(), TOKEN_QUERY, FALSE, hTokenReal);
NtOpenThreadToken(NtCurrentThread(), TOKEN_QUERY | (bImpersonate ? TOKEN_DUPLICATE : 0), FALSE, hTokenReal);
}
else if ((LONG_PTR)token <= LDR_TOKEN_EFFECTIVE) {
NtOpenThreadToken(NtCurrentThread(), TOKEN_QUERY, FALSE, hTokenReal);
if (!hTokenReal) {
NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, hTokenReal);
NtOpenThreadToken(NtCurrentThread(), TOKEN_QUERY | (bImpersonate ? TOKEN_DUPLICATE : 0), FALSE, hTokenReal);
if (*hTokenReal == NULL) {
NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY | (bImpersonate ? TOKEN_DUPLICATE : 0), hTokenReal);
}
}
//
// SeAccessCheckByType requires the token to eider be
// an impersonation token of level SecurityIdentification or higher
// or a pseudo handle, hence we have to convert the token here
//
if (bImpersonate && *hTokenReal != NULL) {
HANDLE hTokenRealImp = NULL;
OBJECT_ATTRIBUTES objattrs;
SECURITY_QUALITY_OF_SERVICE QoS;
InitializeObjectAttributes(&objattrs, NULL, 0, NULL, NULL);
QoS.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
QoS.ImpersonationLevel = SecurityImpersonation;
QoS.ContextTrackingMode = SECURITY_STATIC_TRACKING;
QoS.EffectiveOnly = FALSE;
objattrs.SecurityQualityOfService = &QoS;
if (NT_SUCCESS(NtDuplicateToken(*hTokenReal, MAXIMUM_ALLOWED, &objattrs, FALSE, TokenImpersonation, &hTokenRealImp))) {
NtClose(*hTokenReal);
*hTokenReal = hTokenRealImp;
}
}
return;
}
_FX NTSTATUS Ldr_NtQueryInformationToken(
@ -924,7 +950,7 @@ _FX NTSTATUS Ldr_NtQueryInformationToken(
HANDLE hTokenReal = NULL;
BOOLEAN FakeAdmin = FALSE;
Ldr_TestToken(TokenHandle, &hTokenReal);
Ldr_TestToken(TokenHandle, &hTokenReal, FALSE);
status = __sys_NtQueryInformationToken(
hTokenReal ? hTokenReal : TokenHandle, TokenInformationClass,
@ -1024,7 +1050,7 @@ _FX NTSTATUS Ldr_NtQuerySecurityAttributesToken(HANDLE TokenHandle, PUNICODE_STR
NTSTATUS status = 0;
HANDLE hTokenReal = NULL;
Ldr_TestToken(TokenHandle, &hTokenReal);
Ldr_TestToken(TokenHandle, &hTokenReal, FALSE);
status = __sys_NtQuerySecurityAttributesToken(hTokenReal ? hTokenReal : TokenHandle, Attributes, NumberOfAttributes, Buffer, Length, ReturnLength);
@ -1034,6 +1060,7 @@ _FX NTSTATUS Ldr_NtQuerySecurityAttributesToken(HANDLE TokenHandle, PUNICODE_STR
return status;
}
NTSTATUS Ldr_NtAccessCheckByType(PSECURITY_DESCRIPTOR SecurityDescriptor, PSID PrincipalSelfSid, HANDLE ClientToken, ACCESS_MASK DesiredAccess, POBJECT_TYPE_LIST ObjectTypeList, ULONG ObjectTypeListLength, PGENERIC_MAPPING GenericMapping, PPRIVILEGE_SET PrivilegeSet, PULONG PrivilegeSetLength, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus)
{
NTSTATUS rc;
@ -1047,8 +1074,8 @@ NTSTATUS Ldr_NtAccessCheckByType(PSECURITY_DESCRIPTOR SecurityDescriptor, PSID P
SetLastError(0);
return TRUE;
}
Ldr_TestToken(ClientToken, &hTokenReal);
Ldr_TestToken(ClientToken, &hTokenReal, TRUE);
rc = __sys_NtAccessCheckByType(SecurityDescriptor, PrincipalSelfSid, hTokenReal ? hTokenReal : ClientToken, DesiredAccess, ObjectTypeList, ObjectTypeListLength, GenericMapping, PrivilegeSet, PrivilegeSetLength, GrantedAccess, AccessStatus);
@ -1065,7 +1092,7 @@ _FX NTSTATUS Ldr_NtAccessCheck(PSECURITY_DESCRIPTOR SecurityDescriptor, HANDLE C
NTSTATUS status = 0;
HANDLE hTokenReal = NULL;
Ldr_TestToken(ClientToken, &hTokenReal);
Ldr_TestToken(ClientToken, &hTokenReal, TRUE);
status = __sys_NtAccessCheck(SecurityDescriptor, hTokenReal ? hTokenReal : ClientToken, DesiredAccess, GenericMapping, RequiredPrivilegesBuffer, BufferLength, GrantedAccess, AccessStatus);
@ -1080,7 +1107,7 @@ _FX NTSTATUS Ldr_NtAccessCheckByTypeResultList(PSECURITY_DESCRIPTOR SecurityDesc
NTSTATUS status = 0;
HANDLE hTokenReal = NULL;
Ldr_TestToken(ClientToken, &hTokenReal);
Ldr_TestToken(ClientToken, &hTokenReal, TRUE);
status = __sys_NtAccessCheckByTypeResultList(SecurityDescriptor, PrincipalSelfSid, ClientToken, DesiredAccess, ObjectTypeList, ObjectTypeListLength, GenericMapping, PrivilegeSet, PrivilegeSetLength, GrantedAccess, AccessStatus);

View File

@ -165,6 +165,8 @@ ClosedClsid={4991D34B-80A1-4291-83B6-3328366B9097}
[Template_WindowsExplorer]
# make search box wait
ClosedClsid={C2F03A33-21F5-47FA-B4BB-156362A2F239}
# makes context menu hang
ClosedClsid={470C0EBD-5D73-4D58-9CED-E91E22E23282}
[Template_ThirdPartyIsolation]
# close VMNet0 virtual network