mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.9.6

This commit is contained in:
DavidXanatos 2023-05-26 20:29:48 +02:00
parent 4255ef4879
commit f89e9cfeac
7 changed files with 245 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.md
View File

@ -4,6 +4,13 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [1.9.6 / 5.64.6] - 2023-05-??
### Fixed
- fixed an issue with token manipulation in the SbieDrv driver
## [1.9.5 / 5.64.5] - 2023-05-26

4
Sandboxie/common/my_version.h
View File

@ -21,8 +21,8 @@
#ifndef _MY_VERSION_H
#define _MY_VERSION_H
#define MY_VERSION_BINARY 5,64,5
#define MY_VERSION_STRING "5.64.5"
#define MY_VERSION_BINARY 5,64,6
#define MY_VERSION_STRING "5.64.6"
#define MY_ABI_VERSION 0x56000
// These #defines are used by either Resource Compiler or NSIS installer

6
Sandboxie/core/drv/thread.h
View File

@ -106,6 +106,12 @@ ACCESS_MASK Thread_CheckObject_CommonEx(
BOOLEAN ExplicitAccess);
//---------------------------------------------------------------------------
// Variables
//---------------------------------------------------------------------------
extern void *Thread_AnonymousToken;
//---------------------------------------------------------------------------
#endif // _MY_THREAD_H

3
Sandboxie/core/drv/thread_token.c
View File

@ -1467,8 +1467,7 @@ _FX NTSTATUS Thread_SetInformationThread_ChangeNotifyToken(PROCESS *proc)
//
FilteredTokenObject = Token_Restrict(
CurrentToken, DISABLE_MAX_PRIVILEGE, NULL,
proc);
CurrentToken, DISABLE_MAX_PRIVILEGE, proc);
ObDereferenceObject(CurrentToken);

364
Sandboxie/core/drv/token.c
View File

@ -66,7 +66,7 @@ static void *Token_RestrictHelper1(
void *TokenObject, PROCESS *proc);
static NTSTATUS Token_RestrictHelper2(
void *TokenObject, ULONG *OutIntegrityLevel, PROCESS *proc);
void *TokenObject, PROCESS *proc);
static void *Token_RestrictHelper3(
void *TokenObject, TOKEN_GROUPS *Groups, TOKEN_PRIVILEGES *Privileges,
@ -122,6 +122,10 @@ P_SepFilterToken Token_SepFilterToken = NULL;
// Variables
//---------------------------------------------------------------------------
ULONG Token_RestrictedSidCount_offset = 0;
ULONG Token_RestrictedSids_offset = 0;
ULONG Token_UserAndGroups_offset = 0;
ULONG Token_UserAndGroupCount_offset = 0;
static TOKEN_PRIVILEGES *Token_FilterPrivileges = NULL;
static TOKEN_GROUPS *Token_FilterGroups = NULL;
@ -163,6 +167,9 @@ static UCHAR SystemLogonSid[12] = {
UCHAR Sbie_Token_SourceName[5] = { 's', 'b', 'o', 'x', 0 };
#define ProcessMitigationPolicy 52
//---------------------------------------------------------------------------
// Token_Init
//---------------------------------------------------------------------------
@ -173,6 +180,55 @@ _FX BOOLEAN Token_Init(void)
const ULONG NumBasePrivs = 6;
const ULONG NumVistaPrivs = 1;
// $Offset$ - Hard Offset Dependency
#ifdef _WIN64
if (Driver_OsVersion <= DRIVER_WINDOWS_7) {
Token_RestrictedSidCount_offset = 0x7C;
Token_RestrictedSids_offset = 0x98;
Token_UserAndGroups_offset = 0x90;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
Token_RestrictedSidCount_offset = 0x80;
Token_RestrictedSids_offset = 0xA0;
Token_UserAndGroups_offset = 0x98; //good for windows 10 - 10041
Token_UserAndGroupCount_offset = 0x7c; //Good for windows 10 - 10041
}
#else ! _WIN64
if (Driver_OsVersion >= DRIVER_WINDOWS_XP
&& Driver_OsVersion <= DRIVER_WINDOWS_2003) {
Token_RestrictedSidCount_offset = 0x50;
Token_RestrictedSids_offset = 0x6C;
Token_UserAndGroups_offset = 0x68;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA
&& Driver_OsVersion <= DRIVER_WINDOWS_7) {
Token_RestrictedSidCount_offset = 0x7C;
Token_RestrictedSids_offset = 0x94;
Token_UserAndGroups_offset = 0x90;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
Token_RestrictedSidCount_offset = 0x80;
Token_RestrictedSids_offset = 0x98;
Token_UserAndGroups_offset = 0x94;
Token_UserAndGroupCount_offset = 0x7c; //Good for windows 10 - 10041
}
#endif _WIN64
//
// create a list of privileges to filter
//
@ -851,7 +907,7 @@ _FX NTSTATUS Token_SetHandleDacl(HANDLE Handle, ACL *Dacl)
_FX void *Token_Restrict(
void *TokenObject, ULONG FilterFlags, ULONG *OutIntegrityLevel,
void *TokenObject, ULONG FilterFlags,
PROCESS *proc)
{
TOKEN_GROUPS *groups;
@ -893,27 +949,27 @@ _FX void *Token_Restrict(
FixedTokenObject = Token_RestrictHelper1(TokenObject, proc);
}
if (!FixedTokenObject)
return NULL;
// OpenToken BEGIN
if (!Conf_Get_Boolean(proc->box->name, L"KeepTokenIntegrity", 0, FALSE))
// OpenToken END
{
//
// on Windows Vista, set the untrusted integrity integrity label,
// on Windows Vista and later, set the untrusted integrity integrity label,
// primarily to prevent programs in the sandbox from being able to
// call PostThreadMessage to threads of programs outside the sandbox
// and to prevent injection of Win32 and WinEvent hooks
//
if (FixedTokenObject) {
NTSTATUS status = Token_RestrictHelper2(
FixedTokenObject, OutIntegrityLevel, proc);
if (!NT_SUCCESS(status)) {
if (!NT_SUCCESS(Token_RestrictHelper2(FixedTokenObject, proc))) {
ObDereferenceObject(FixedTokenObject);
FixedTokenObject = NULL;
return NULL;
}
}
if (FixedTokenObject) {
// OpenToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"UnstrippedToken", 0, FALSE))
return FixedTokenObject;
@ -933,66 +989,31 @@ _FX void *Token_Restrict(
user->User.Sid, FilterFlags, proc);
}
ObDereferenceObject(FixedTokenObject);
if (user)
ExFreePool(user);
if (privs)
ExFreePool(privs);
if (groups)
ExFreePool(groups);
}
ObDereferenceObject(FixedTokenObject);
return NewTokenObject;
}
//---------------------------------------------------------------------------
// Token_ResetPrimary
//---------------------------------------------------------------------------
_FX BOOLEAN Token_ResetPrimary(PROCESS *proc)
{
PEPROCESS ProcessObject;
NTSTATUS status;
BOOLEAN ok = FALSE;
ULONG UserAndGroups_offset = 0;
if (!proc->primary_token)
return TRUE;
#ifdef _WIN64
if (Driver_OsVersion <= DRIVER_WINDOWS_7) {
UserAndGroups_offset = 0x90;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
UserAndGroups_offset = 0x98; //good for windows 10 - 10041
}
#else ! _WIN64
if (Driver_OsVersion >= DRIVER_WINDOWS_XP
&& Driver_OsVersion <= DRIVER_WINDOWS_2003) {
UserAndGroups_offset = 0x68;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA
&& Driver_OsVersion <= DRIVER_WINDOWS_7) {
UserAndGroups_offset = 0x90;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
UserAndGroups_offset = 0x94; //good for windows 10 build 10041
}
#endif _WIN64
//
// lookup the process object to get the primary token
//
@ -1011,27 +1032,7 @@ _FX BOOLEAN Token_ResetPrimary(PROCESS *proc)
Log_Status_Ex_Process(MSG_1222, 0x31, STATUS_NO_TOKEN, NULL, proc->box->session_id, proc->pid);
}
else
{
SID_AND_ATTRIBUTES *SidAndAttrsInToken = NULL;
SID_AND_ATTRIBUTES *SidAndAttrsInTokenOrig = NULL;
if (UserAndGroups_offset) {
SidAndAttrsInToken = *(SID_AND_ATTRIBUTES **)
((ULONG_PTR)TokenObject + UserAndGroups_offset);
// Windows 8.1 update
if (SidAndAttrsInToken->Sid == (PSID)proc->SandboxieLogonSid)
{
//DbgPrint("Sbie, restore token pointer\n");
SidAndAttrsInTokenOrig = *(SID_AND_ATTRIBUTES **)
((ULONG_PTR)(proc->primary_token) + UserAndGroups_offset);
SidAndAttrsInToken->Sid = SidAndAttrsInTokenOrig->Sid;
}
}
else {
PsDereferencePrimaryToken(TokenObject);
ok = TRUE;
@ -1052,24 +1053,13 @@ _FX BOOLEAN Token_IsSharedSid_W8(void *TokenObject)
BOOLEAN bRet = TRUE;
ULONG nUserAndGroupCount = 0;
SID_AND_ATTRIBUTES *SidAndAttrsInToken = NULL;
ULONG UserAndGroupCount_offset = 0;
ULONG UserAndGroups_offset = 0;
if (TokenObject
&& Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
#ifdef _WIN64
UserAndGroupCount_offset = 0x7c; //Good for windows 10 - 10041
UserAndGroups_offset = 0x98;
#else ! _WIN64
UserAndGroupCount_offset = 0x7c; //Good for windows 10 - 10041
UserAndGroups_offset = 0x94;
#endif _WIN64
nUserAndGroupCount = *(ULONG*)((ULONG_PTR)TokenObject + UserAndGroupCount_offset);
SidAndAttrsInToken = *(SID_AND_ATTRIBUTES **)((ULONG_PTR)TokenObject + UserAndGroups_offset);
nUserAndGroupCount = *(ULONG*)((ULONG_PTR)TokenObject + Token_UserAndGroupCount_offset);
SidAndAttrsInToken = *(SID_AND_ATTRIBUTES **)((ULONG_PTR)TokenObject + Token_UserAndGroups_offset);
if ((ULONG_PTR)SidAndAttrsInToken->Sid > (ULONG_PTR)SidAndAttrsInToken
&& (ULONG_PTR)SidAndAttrsInToken->Sid <= ((ULONG_PTR)SidAndAttrsInToken + (nUserAndGroupCount + 5) * sizeof(SID_AND_ATTRIBUTES)))
@ -1098,56 +1088,8 @@ _FX void *Token_RestrictHelper1(
{
void *NewTokenObject = NULL;
SID_AND_ATTRIBUTES *SidAndAttrsInToken = NULL;
ULONG RestrictedSidCount_offset = 0;
ULONG RestrictedSids_offset = 0;
ULONG UserAndGroups_offset = 0;
NTSTATUS status;
#ifdef _WIN64
if (Driver_OsVersion <= DRIVER_WINDOWS_7) {
RestrictedSidCount_offset = 0x7C;
RestrictedSids_offset = 0x98;
UserAndGroups_offset = 0x90;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
RestrictedSidCount_offset = 0x80;
RestrictedSids_offset = 0xA0;
UserAndGroups_offset = 0x98; //good for windows 10 - 10041
}
#else ! _WIN64
if (Driver_OsVersion >= DRIVER_WINDOWS_XP
&& Driver_OsVersion <= DRIVER_WINDOWS_2003) {
RestrictedSidCount_offset = 0x50;
RestrictedSids_offset = 0x6C;
UserAndGroups_offset = 0x68;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA
&& Driver_OsVersion <= DRIVER_WINDOWS_7) {
RestrictedSidCount_offset = 0x7C;
RestrictedSids_offset = 0x94;
UserAndGroups_offset = 0x90;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10) {
RestrictedSidCount_offset = 0x80;
RestrictedSids_offset = 0x98;
UserAndGroups_offset = 0x94;
}
#endif _WIN64
//
// create a temporary token, which we will fix a bit before it is
// duplicated again in Token_RestrictHelper3
@ -1160,7 +1102,7 @@ _FX void *Token_RestrictHelper1(
// in Token_RestrictHelper3, see below in the next section of code
//
if (RestrictedSids_offset) {
if (Token_RestrictedSids_offset) {
//
// SeFilterToken will fail if the existing token has
@ -1172,15 +1114,16 @@ _FX void *Token_RestrictHelper1(
//
void *TempNewTokenObject;
PSID OrigTokenSid = NULL;
ULONG_PTR RestrictSids_Space[8];
TOKEN_GROUPS *RestrictSids = NULL;
ULONG_PTR SidPtr = 0;
ULONG SidCount = 0;
ULONG RestrictSidCountInToken = *(ULONG *)
((ULONG_PTR)TokenObject + RestrictedSidCount_offset);
((ULONG_PTR)TokenObject + Token_RestrictedSidCount_offset);
SID_AND_ATTRIBUTES *RestrictSidsInToken = *(SID_AND_ATTRIBUTES **)
((ULONG_PTR)TokenObject + RestrictedSids_offset);
((ULONG_PTR)TokenObject + Token_RestrictedSids_offset);
if (RestrictSidCountInToken && RestrictSidsInToken) {
@ -1206,50 +1149,23 @@ _FX void *Token_RestrictHelper1(
&TempNewTokenObject);
//
// now we need to call the wrapper SeFilterToken because it inserts
// the the new token object as a handle which is going to be needed
// for the ObOpenObjectByPointer call in Token_RestrictHelper2
// Note: Sandboxie originally called here SeFilterToken already,
// this duplicated NewTokenObject and discarded it.
//
// Howeever the blunt method used in the code below to replace the
// token SID can create a dependancy on proc->SandboxieLogonSid
// formally AnonymousLogonSid which can cause issues and BSOD's
// It also has required a mitigation in Token_ResetPrimary, restoring
// the SID pointer so that the token object can be safely destroyed.
//
// Therefor the invokation of SeFilterToken has been moved after
// the SID manipulation, this way the modified TempNewTokenObject
// will be quickly and safely disposed of. So we continue from there
// on out with a proper unhacked token object.
//
if (NT_SUCCESS(status)) {
status = Sbie_SeFilterToken_KernelMode(
TempNewTokenObject, 0, NULL, NULL, RestrictSids,
&NewTokenObject);
ObDereferenceObject(TempNewTokenObject);
}
if (RestrictSidsInToken) {
//
// if the new token has a restricting SID now, then SeFilterToken
// in Token_RestrictHelper3 will probably fail because the
// intersection between that SID and the anonymous SID which is
// specified in Token_RestrictHelper3 probably produces a null
// set, which is an error. work around this by getting rid of
// the restring SID, which we really only added in the first
// place in order to coax SeFilterToken (above) to not fail
//
ULONG_PTR AddressToSetZero =
((ULONG_PTR)NewTokenObject + RestrictedSidCount_offset);
*(ULONG *)AddressToSetZero = 0;
AddressToSetZero =
((ULONG_PTR)NewTokenObject + RestrictedSids_offset);
*(ULONG_PTR *)AddressToSetZero = 0;
}
}
else
status = STATUS_UNKNOWN_REVISION;
if (!NT_SUCCESS(status))
NewTokenObject = NULL;
else {
//
// the kernel function PsImpersonateClient (which is used by all
// impersonation services) will grant impersonation even without
@ -1272,10 +1188,10 @@ _FX void *Token_RestrictHelper1(
// group. see also: http://support.microsoft.com/kb/278259
//
if (UserAndGroups_offset) {
if (Token_UserAndGroups_offset) {
SidAndAttrsInToken = *(SID_AND_ATTRIBUTES **)
((ULONG_PTR)NewTokenObject + UserAndGroups_offset);
((ULONG_PTR)TempNewTokenObject + Token_UserAndGroups_offset);
}
if (SidAndAttrsInToken) {
@ -1283,6 +1199,8 @@ _FX void *Token_RestrictHelper1(
UCHAR *SidInToken = (UCHAR *)SidAndAttrsInToken->Sid;
if (SidInToken && SidInToken[1] >= 1) { // SubAuthorityCount >= 1
// debug tip. To disable anonymous logon, set AnonymousLogon=n
if (!proc->SandboxieLogonSid && Conf_Get_Boolean(proc->box->name, L"AnonymousLogon", 0, TRUE))
{
proc->SandboxieLogonSid = (PSID)AnonymousLogonSid;
@ -1298,16 +1216,17 @@ _FX void *Token_RestrictHelper1(
// If user sid points to the end of token's UserAndGroups, the sid is not shared.
if ((Driver_OsVersion >= DRIVER_WINDOWS_8
&& Driver_OsVersion <= DRIVER_WINDOWS_10
&& Token_IsSharedSid_W8(NewTokenObject))
if (Token_IsSharedSid_W8(TempNewTokenObject)
// When trying apply the SbieLogin token to a system process there is not enough space in the SID
// so we need to use a workaround not unlike the one for win 8
|| (RtlLengthSid(SidInToken) < RtlLengthSid(proc->SandboxieLogonSid))
) {
//DbgPrint("Sbie, hack token pointer\n");
//DbgPrint("Sbie, hacking token pointer\n");
OrigTokenSid = SidAndAttrsInToken->Sid;
SidAndAttrsInToken->Sid = proc->SandboxieLogonSid;
}
else {
@ -1322,6 +1241,62 @@ _FX void *Token_RestrictHelper1(
status = STATUS_UNKNOWN_REVISION;
}
//
// now we need to call the wrapper SeFilterToken because it inserts
// the the new token object as a handle which is going to be needed
// for the ObOpenObjectByPointer call in Token_RestrictHelper2
//
if (NT_SUCCESS(status)) {
status = Sbie_SeFilterToken_KernelMode(
TempNewTokenObject, 0, NULL, NULL, RestrictSids,
&NewTokenObject);
//
// We restore here the original sid pointer as it was previusly
// done in Token_ResetPrimary before dereferencing the token object.
//
if (SidAndAttrsInToken) {
// Windows 8.1 update
if (SidAndAttrsInToken->Sid == (PSID)proc->SandboxieLogonSid)
{
//DbgPrint("Sbie, restore token pointer\n");
SidAndAttrsInToken->Sid = OrigTokenSid;
}
}
ObDereferenceObject(TempNewTokenObject);
}
if (NewTokenObject && RestrictSidsInToken) {
//
// if the new token has a restricting SID now, then SeFilterToken
// in Token_RestrictHelper3 will probably fail because the
// intersection between that SID and the anonymous SID which is
// specified in Token_RestrictHelper3 probably produces a null
// set, which is an error. work around this by getting rid of
// the restring SID, which we really only added in the first
// place in order to coax SeFilterToken (above) to not fail
//
ULONG_PTR AddressToSetZero =
((ULONG_PTR)NewTokenObject + Token_RestrictedSidCount_offset);
*(ULONG *)AddressToSetZero = 0;
AddressToSetZero =
((ULONG_PTR)NewTokenObject + Token_RestrictedSids_offset);
*(ULONG_PTR *)AddressToSetZero = 0;
}
}
else
status = STATUS_UNKNOWN_REVISION;
//
// finish
//
@ -1339,7 +1314,7 @@ _FX void *Token_RestrictHelper1(
_FX NTSTATUS Token_RestrictHelper2(
void *TokenObject, ULONG *OutIntegrityLevel, PROCESS *proc)
void *TokenObject, PROCESS *proc)
{
NTSTATUS status;
ULONG label;
@ -1350,14 +1325,6 @@ _FX NTSTATUS Token_RestrictHelper2(
label = (ULONG)(ULONG_PTR)Token_Query(
TokenObject, TokenIntegrityLevel, proc->box->session_id);
if (OutIntegrityLevel)
*OutIntegrityLevel = label;
// OpenToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"KeepTokenIntegrity", 0, FALSE))
return STATUS_SUCCESS;
// OpenToken END
if (label & 0xFFFF00FF)
status = STATUS_INVALID_LEVEL;
@ -1450,7 +1417,7 @@ _FX void *Token_RestrictHelper3(
BOOLEAN UserSidAlreadyInGroups = FALSE;
BOOLEAN AnonymousLogonSidAlreadyInGroups = FALSE;
// todo: should we do something with SandboxieLogonSid here?
BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE);
n = 0;
@ -1823,6 +1790,12 @@ _FX BOOLEAN Token_ReplacePrimary(PROCESS *proc)
if (OriginalToken) {
if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA) {
proc->integrity_level = (ULONG)(ULONG_PTR)Token_Query(
OriginalToken, TokenIntegrityLevel, proc->box->session_id);
}
//
// restrict the primary token
//
@ -1833,8 +1806,7 @@ _FX BOOLEAN Token_ReplacePrimary(PROCESS *proc)
//
void *RestrictedToken =
Token_Restrict(OriginalToken, SANDBOX_INERT | DISABLE_MAX_PRIVILEGE,
&proc->integrity_level, proc);
Token_Restrict(OriginalToken, SANDBOX_INERT | DISABLE_MAX_PRIVILEGE, proc);
if (RestrictedToken) {

2
Sandboxie/core/drv/token.h
View File

@ -47,7 +47,7 @@ void *Token_QueryPrimary(TOKEN_INFORMATION_CLASS InfoClass, ULONG SessionId);
void *Token_Filter(void *TokenObject, ULONG DropRights, ULONG SessionId);
void *Token_Restrict(
void *TokenObject, ULONG FilterFlags, ULONG *OutIntegrityLevel, PROCESS *proc);
void *TokenObject, ULONG FilterFlags, PROCESS *proc);
NTSTATUS Token_AssignPrimaryHandle(
void *ProcessObject, HANDLE TokenKernelHandle, ULONG SessionId);

2
SandboxiePlus/version.h
View File

@ -2,7 +2,7 @@
#define VERSION_MJR 1
#define VERSION_MIN 9
#define VERSION_REV 5
#define VERSION_REV 6
#define VERSION_UPD 0
#ifndef STR