Exemplo n.º 1
0
int UnsetSeDebug()
{
    HANDLE hToken;
    if(! OpenThreadToken(GetCurrentThread(),
                        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                        FALSE,
                        &hToken)
                        ){
        if(GetLastError() == ERROR_NO_TOKEN){
            if(! ImpersonateSelf(SecurityImpersonation)){
                //Log2File("Error setting impersonation! [UnsetSeDebug()]", L_DEBUG);
                return 0;
            }

            if(!OpenThreadToken(GetCurrentThread(),
                                TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                                FALSE,
                                &hToken)
                                ){
                //Log2File("Error Opening Thread Token! [UnsetSeDebug()]", L_DEBUG);
                return 0;
            }
        }
    }

    //now disable SeDebug
    if(!SetPrivilege(hToken, SE_DEBUG_NAME, FALSE)){
        //Log2File("Error unsetting SeDebug Privilege [SetPrivilege()]", L_WARN);
        return 0;
    }

    CloseHandle(hToken);
    return 1;
}
Exemplo n.º 2
0
static HANDLE s_GetThreadToken(DWORD access)
{
    HANDLE token;
    if ( !OpenThreadToken(GetCurrentThread(), access, FALSE, &token) ) {
        DWORD res = GetLastError();
        if ( res == ERROR_NO_TOKEN ) {
            if ( !ImpersonateSelf(SecurityImpersonation) ) {
                // Failed to obtain a token for the current thread and user
                CNcbiError::SetFromWindowsError();
                return INVALID_HANDLE_VALUE;
            }
            if ( !OpenThreadToken(GetCurrentThread(), access, FALSE, &token) ) {
                // Failed to open the current threads token with the required access rights
                CNcbiError::SetFromWindowsError();
                token = INVALID_HANDLE_VALUE;
            }
            RevertToSelf();
        } else {
            // Failed to open the current threads token with the required access rights
            CNcbiError::SetWindowsError(res);
            return NULL;
        }
    }
    return token;
}
Exemplo n.º 3
0
/**
* @brief	adjust privilege
* @param	
* @see		
* @remarks http://support.microsoft.com/kb/131065/EN-US/
* @code		
* @endcode	
* @return	
*/
bool set_privilege(_In_z_ const wchar_t* privilege, _In_ bool enable)
{
	HANDLE token = INVALID_HANDLE_VALUE;
	if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &token) )
	{
		if (ERROR_NO_TOKEN == GetLastError() )
		{
			if ( ImpersonateSelf(SecurityImpersonation)	!= TRUE ) { return FALSE; }

			if (TRUE != OpenThreadToken(GetCurrentThread(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,FALSE,&token) )
			{
				return FALSE;
			}
		}
		else
		{			
			return FALSE;
		}
	}

	TOKEN_PRIVILEGES tp = { 0 };		
	LUID luid = {0};
	DWORD cb = sizeof(TOKEN_PRIVILEGES);
	
	bool ret = false;
	do 
	{
		if(!LookupPrivilegeValueW( NULL, privilege, &luid )) { break; }

		tp.PrivilegeCount = 1;
		tp.Privileges[0].Luid = luid;
		if(enable) 
		{ 
			tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		} 
		else 
		{
			tp.Privileges[0].Attributes = 0;
		}
	
		AdjustTokenPrivileges( token, FALSE, &tp, cb, NULL, NULL );
		if (GetLastError() != ERROR_SUCCESS) { break; }

		ret = true;
	} while (false);
	
	CloseHandle(token);
	return ret;
}
Exemplo n.º 4
0
/// <summary>
/// Grant current process arbitrary privilege
/// </summary>
/// <param name="name">Privilege name</param>
/// <returns>Status</returns>
NTSTATUS Process::GrantPriviledge( const std::basic_string<TCHAR>& name )
{
    TOKEN_PRIVILEGES Priv, PrivOld;
    DWORD cbPriv = sizeof(PrivOld);
    HANDLE hToken;

    if (!OpenThreadToken( GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken ))
    {
        if (GetLastError() != ERROR_NO_TOKEN)
            return LastNtStatus();

        if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken ))
            return LastNtStatus();
    }

    Priv.PrivilegeCount = 1;
    Priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    LookupPrivilegeValue( NULL, name.c_str(), &Priv.Privileges[0].Luid );

    if (!AdjustTokenPrivileges( hToken, FALSE, &Priv, sizeof(Priv), &PrivOld, &cbPriv ))
    {
        CloseHandle( hToken );
        return LastNtStatus();
    }

    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
    {
        CloseHandle( hToken );
        return LastNtStatus();
    }
    
    return STATUS_SUCCESS;
}
Exemplo n.º 5
0
L00401608(
    _unknown_ __ecx,                       // r2
    _unknown_ __edx                        // r3
)
{
    _unknown_ _v256;                       // _cfa_ffffff00
    _unknown_ __ebp;                       // r6
    _unknown_ _t2;                         // _t2
    _unknown_ _t5;                         // _t5
    _unknown_ _t6;                         // _t6
    _unknown_ _t7;                         // _t7
    _unknown_ _t10;                        // _t10
    _unknown_ _t11;                        // _t11
    _unknown_ _t12;                        // _t12
    _unknown_ _t14;                        // _t14
    _unknown_ _t15;                        // _t15
    _unknown_ _t20;                        // _t20
    _unknown_ _t21;                        // _t21
    _unknown_ _t22;                        // _t22

    _push(_t21);
    _t22 = __esp;
    __esp = __esp - 784;
    IsWindow(1706949468);
    OpenThreadToken(0,  &_v256 & 0, 0, _t3);
    ResumeThread(6);
    __esp = _t22;
    _pop(__ebp);
    return;
}
/*
 * sys_getuid
 * ----------
 *
 * Gets the user information of the user the server is executing as
 */
DWORD request_sys_config_getuid(Remote *remote, Packet *packet)
{
	Packet *response = packet_create_response(packet);
	DWORD res = ERROR_SUCCESS;
#ifdef _WIN32
	CHAR username[512], username_only[512], domainname_only[512];
	LPVOID TokenUserInfo[4096];
	HANDLE token;
	DWORD user_length = sizeof(username_only), domain_length = sizeof(domainname_only);
	DWORD size = sizeof(username), sid_type = 0, returned_tokinfo_length;

	memset(username, 0, sizeof(username));
	memset(username_only, 0, sizeof(username_only));
	memset(domainname_only, 0, sizeof(domainname_only));

	do
	{
		if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &token))
		{
			OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
		}

		if (!GetTokenInformation(token, TokenUser, TokenUserInfo, 4096, &returned_tokinfo_length))
		{
			res = GetLastError();
			break;
		}
		
		if (!LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username_only, &user_length, domainname_only, &domain_length, (PSID_NAME_USE)&sid_type))
		{
			res = GetLastError();
			break;
		}

 		// Make full name in DOMAIN\USERNAME format
		_snprintf(username, 512, "%s\\%s", domainname_only, username_only);
		username[511] = '\0';

		packet_add_tlv_string(response, TLV_TYPE_USER_NAME, username);

	} while (0);
#else
	CHAR info[512];
	uid_t ru, eu, su;
	gid_t rg, eg, sg;

	ru = eu = su = rg = eg = sg = 31337;

	getresuid(&ru, &eu, &su);
	getresgid(&rg, &eg, &sg);

	snprintf(info, sizeof(info)-1, "uid=%d, gid=%d, euid=%d, egid=%d, suid=%d, sgid=%d", ru, rg, eu, eg, su, sg);
	packet_add_tlv_string(response, TLV_TYPE_USER_NAME, info);
#endif

	// Transmit the response
	packet_transmit_response(res, remote, response);

	return res;
}
Exemplo n.º 7
0
HANDLE GetAnonymousToken()
{
  ImpersonateAnonymousToken(GetCurrentThread());
  HANDLE hToken;
  OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken);
  RevertToSelf();
  
  PSECURITY_DESCRIPTOR pSD;
  ULONG sd_length;
  if (!ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;WD)(A;;GA;;;AN)", SDDL_REVISION_1, &pSD, &sd_length))
  {
    printf("Error converting SDDL: %d\n", GetLastError());
    exit(1);
  }

  TOKEN_DEFAULT_DACL dacl;
  BOOL bPresent;
  BOOL bDefaulted;
  PACL pDACL;
  GetSecurityDescriptorDacl(pSD, &bPresent, &pDACL, &bDefaulted);
  dacl.DefaultDacl = pDACL;

  if (!SetTokenInformation(hToken, TokenDefaultDacl, &dacl, sizeof(dacl)))
  {
    printf("Error setting default DACL: %d\n", GetLastError());
    exit(1);
  }

  return hToken;
}
Exemplo n.º 8
0
bool DebugToken::Enable()
{
	if (enabled || hDebugToken == NULL)
		return true;

	BOOL rc = OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &hSavedToken);

	if (!rc)
	{
		hSavedToken = NULL;

		if (GetLastError()==ERROR_NO_TOKEN)
			rc = ERROR_SUCCESS;
		else
			return false;
	}

	rc = SetThreadToken(NULL, hDebugToken);

	if (!rc)
	{
		if (hSavedToken != NULL)
		{
			CloseHandle(hSavedToken);
			hSavedToken = NULL;
		}

		return false;
	}

	enabled = true;
	return true;
}
Exemplo n.º 9
0
BOOL ImpersonateAndCheckAccess(PCtxtHandle phContext, 
							   PSECURITY_DESCRIPTOR psdSD, 
							   PDWORD pdwAccessGranted) {
	HANDLE hToken = NULL;
	
	// AccessCheck() variables
	DWORD           dwAccessDesired = MAXIMUM_ALLOWED;
	PRIVILEGE_SET   PrivilegeSet;
	DWORD           dwPrivSetSize = sizeof(PRIVILEGE_SET);
	BOOL            fAccessGranted = FALSE;
	GENERIC_MAPPING GenericMapping = { vncGenericRead, vncGenericWrite, 
									   vncGenericExecute, vncGenericAll };
	
	// This only does something if we want to use generic access
	// rights, like GENERIC_ALL, in our call to AccessCheck().
	MapGenericMask(&dwAccessDesired, &GenericMapping);
	
	// AccessCheck() requires an impersonation token.
	if ((fn._ImpersonateSecurityContext(phContext) == SEC_E_OK)
		&& OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)
		&& AccessCheck(psdSD, hToken, dwAccessDesired, &GenericMapping,
		&PrivilegeSet, &dwPrivSetSize, pdwAccessGranted, &fAccessGranted)) {
		// Restrict access to relevant rights only
		fAccessGranted = AreAnyAccessesGranted(*pdwAccessGranted, ViewOnly | Interact);
	}
	
	// End impersonation
	fn._RevertSecurityContext(phContext);
	
	// Close handles
	if (hToken)
		CloseHandle(hToken);
	
	return fAccessGranted;
}
Exemplo n.º 10
0
//*****************************************************************************
//* Function Name: DumpToken
//*   Description: 
//*****************************************************************************
STDMETHODIMP CTestObject::DumpToken (void)
{
	(void) _tprintf (_T("CTestObject::DumpToken\n"));

	DumpClientBlanket ();

	HRESULT l_hr = CoImpersonateClient ();

	if (SUCCEEDED (l_hr)) {
		HANDLE l_hToken = NULL;

		if (OpenThreadToken (GetCurrentThread (), TOKEN_QUERY | TOKEN_QUERY_SOURCE, TRUE, &l_hToken))
		{
			::DumpToken (l_hToken, TRUE);

			(void)CloseHandle (l_hToken);
			l_hToken = NULL;
		}
		else
		{
			DWORD l_dwLastError = GetLastError ();
			(void) _ftprintf (stderr, _T("OpenThreadToken() failed with %ld\n"), l_dwLastError);
		}
	}
	else {
		(void) _ftprintf (stderr, _T("CoImpersonateClient() failed with 0x%08lX\n"), l_hr);
	}

	return S_OK;
}
Exemplo n.º 11
0
Arquivo: shm.c Projeto: Orav/kbengine
static int can_create_global_maps(void)
{
    BOOL ok, has_priv;
    LUID priv_id;
    PRIVILEGE_SET privs;
    HANDLE hToken;

    ok = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken);
    if (!ok && GetLastError() == ERROR_NO_TOKEN) {
        /* no thread-specific access token, so try to get process access token
         */
        ok = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
    }

    if (ok) {
        ok = LookupPrivilegeValue(NULL, SE_CREATE_GLOBAL_NAME, &priv_id);
    }

    if (ok) {
        privs.PrivilegeCount = 1;
        privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
        privs.Privilege[0].Luid = priv_id;
        privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
        ok = PrivilegeCheck(hToken, &privs, &has_priv);
    }

    if (ok && !has_priv) {
        return 0;
    }
    else {
        return 1;
    }
}
Exemplo n.º 12
0
/*
 * @brief Get the token information for the current thread/process.
 * @param pTokenUser Buffer to receive the token data.
 * @param dwBufferSize Size of the buffer that will receive the token data.
 * @returns Indication of success or failure.
 */
DWORD get_user_token(LPVOID pTokenUser, DWORD dwBufferSize)
{
	DWORD dwResult = 0;
	DWORD dwReturnedLength = 0;
	HANDLE hToken;

	do
	{
		if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hToken))
		{
			if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
			{
				BREAK_ON_ERROR("[TOKEN] Failed to get a valid token for thread/process.");
			}
		}

		if (!GetTokenInformation(hToken, TokenUser, pTokenUser, dwBufferSize, &dwReturnedLength))
		{
			BREAK_ON_ERROR("[TOKEN] Failed to get token information for thread/process.");
		}

		dwResult = ERROR_SUCCESS;
	} while (0);

	return dwResult;
}
Exemplo n.º 13
0
static DWORD _impersonateLevel()
{
    DWORD result = RPC_C_IMP_LEVEL_ANONYMOUS;
    HANDLE thr = NULL;

    BOOL status = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &thr);

    if (status)
    {
        SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
        DWORD ret = 0;

        status = GetTokenInformation(thr, TokenImpersonationLevel,
            &level, sizeof(SECURITY_IMPERSONATION_LEVEL), &ret);

        CloseHandle(thr);

        if (status == FALSE)
        {
            result = RPC_C_IMP_LEVEL_ANONYMOUS;
        }
        else
        {
            switch (level)
            {
                case SecurityAnonymous:
                    result = RPC_C_IMP_LEVEL_ANONYMOUS;
                    break;
                case SecurityIdentification:
                    result = RPC_C_IMP_LEVEL_IDENTIFY;
                    break;
                case SecurityImpersonation:
                    result = RPC_C_IMP_LEVEL_IMPERSONATE;
                    break;
                case SecurityDelegation:
                    result = RPC_C_IMP_LEVEL_DELEGATE;
                    break;
                default:
                    result = RPC_C_IMP_LEVEL_ANONYMOUS;
                    break;
            }
        }
    }
    else
    {
        ULONG error = GetLastError();

        if (error == ERROR_NO_IMPERSONATION_TOKEN || error == ERROR_NO_TOKEN)
            result = RPC_C_IMP_LEVEL_DELEGATE;
        else if (error == ERROR_CANT_OPEN_ANONYMOUS)
            result = RPC_C_IMP_LEVEL_ANONYMOUS;
        else
            result = RPC_C_IMP_LEVEL_ANONYMOUS;
    }

    return result;
}
Exemplo n.º 14
0
BOOL uac::Am_I_In_Admin_Group(BOOL bCheckAdminMode /*= FALSE*/)
{
	BOOL   fAdmin;
	HANDLE  hThread;
	TOKEN_GROUPS *ptg = NULL;
	DWORD  cbTokenGroups;
	DWORD  dwGroup;
	PSID   psidAdmin;
	SID_IDENTIFIER_AUTHORITY SystemSidAuthority = SECURITY_NT_AUTHORITY;
	if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hThread))
	{
		if (GetLastError() == ERROR_NO_TOKEN)
		{
			if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,
				&hThread))
				return (FALSE);
		}
		else
			return (FALSE);
	}
	if (GetTokenInformation(hThread, TokenGroups, NULL, 0, &cbTokenGroups))
		return (FALSE);
	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
		return (FALSE);
	if (!(ptg = (TOKEN_GROUPS*)_alloca(cbTokenGroups)))
		return (FALSE);
	if (!GetTokenInformation(hThread, TokenGroups, ptg, cbTokenGroups,
		&cbTokenGroups))
		return (FALSE);
	if (!AllocateAndInitializeSid(&SystemSidAuthority, 2,
		SECURITY_BUILTIN_DOMAIN_RID,
		DOMAIN_ALIAS_RID_ADMINS,
		0, 0, 0, 0, 0, 0, &psidAdmin))
		return (FALSE);
	fAdmin = FALSE;
	for (dwGroup = 0; dwGroup < ptg->GroupCount; dwGroup++)
	{
		if (EqualSid(ptg->Groups[dwGroup].Sid, psidAdmin))
		{
			if (bCheckAdminMode)
			{
				if ((ptg->Groups[dwGroup].Attributes) & SE_GROUP_ENABLED)
				{
					fAdmin = TRUE;
				}
			}
			else
			{
				fAdmin = TRUE;
			}
			break;
		}
	}
	FreeSid(psidAdmin);
	return (fAdmin);
}
Exemplo n.º 15
0
CxDlgAccountPassword::CxDlgAccountPassword(CWnd* pParent /*=NULL*/)
	: CDialog(CxDlgAccountPassword::IDD, pParent)
{
	HANDLE     hProcess, hAccessToken;
	DWORD      dwInfoBufferSize, dwDomainSize =1024;
	TCHAR      tchszUser   [1024];
	TCHAR      tchszDomain [1024];
	DWORD      dwUserNameLen = sizeof(tchszUser);
	TCHAR      InfoBuffer[1000];
	PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;
	SID_NAME_USE snu;

	//
	// Get the domain name that this user is logged on to. This could
	// also be the local machine name.
	CString strAccount = _T("");
	hProcess = GetCurrentThread();
	if (!OpenThreadToken (hProcess,TOKEN_QUERY, TRUE, &hAccessToken))
	{
		if(GetLastError() == ERROR_NO_TOKEN) 
		{
			// attempt to open the process token, since no thread token
			// exists
			BOOL bOk = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hAccessToken);
		}
	}
	if (GetTokenInformation(hAccessToken, TokenUser, InfoBuffer, 1000, &dwInfoBufferSize))
	{
		tchszDomain[0] = _T('\0');
		if (LookupAccountSid(NULL, pTokenUser->User.Sid, tchszUser, &dwUserNameLen, tchszDomain, &dwDomainSize, &snu))
		{
			if (tchszDomain[0])
			{
				//
				// Use the account name of form "DomainName\UserName"
				if (B_ACCOUNT_CURRENT_USER)
					strAccount.Format (_T("%s\\%s"), tchszDomain, tchszUser);
				else
					strAccount.Format (_T("%s\\%s"), tchszDomain, _T("ingres"));
			}
			else
			{
				strAccount = B_ACCOUNT_CURRENT_USER? tchszUser: _T("ingres");
			}
		}
	}

	//{{AFX_DATA_INIT(CxDlgAccountPassword)
	m_strAccount = _T("");
	m_strPassword = _T("");
	m_strConfirmPassword = _T("");
	//}}AFX_DATA_INIT
	m_strAccount = strAccount;
}
Exemplo n.º 16
0
static int get_token(connection_context *c)
{
	int res = 0;
	int wres;
	HANDLE token;

	if (c->runas) {
		credentials crd;
		if (!prepare_credentials(c->runas, &crd)) {
			hprintf(c->pipe, "error Incorrect runas credentials\n");
			goto finish;
		}
		wres = LogonUser(crd.user, crd.domain, crd.password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &c->token);
		if (!wres) {
			hprintf(c->pipe, "error Cannot LogonUser(%s,%s,%s) %d\n", crd.user, crd.domain, crd.password, GetLastError());
			goto finish;
		}
		res = 1;
		goto finish;
	} else if (c->system) {
		if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) {
			hprintf(c->pipe, "error Cannot OpenProcessToken %d\n", GetLastError());
			goto finish;
		}
	} else {
		if (!ImpersonateNamedPipeClient(c->pipe->h)) {
			hprintf(c->pipe, "error Cannot ImpersonateNamedPipeClient %d\n", GetLastError());
			goto finish;
		}
		if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &token)) {
			hprintf(c->pipe, "error Cannot OpenThreadToken %d\n", GetLastError());
			goto finishRevertToSelf;
		}
	}
	if (!DuplicateTokenEx(token, MAXIMUM_ALLOWED, 0, c->implevel, TokenPrimary, &c->token)) {
		hprintf(c->pipe, "error Cannot Duplicate Token %d\n", GetLastError());
		goto finishCloseToken;
	}
	res = 1;
finishCloseToken:
	CloseHandle(token);
finishRevertToSelf:
	if (!c->system) {
		if (!RevertToSelf()) {
			hprintf(c->pipe, "error Cannot RevertToSelf %d\n", GetLastError());
			res = 0;
		}
	}
finish:
	return res;
}
Exemplo n.º 17
0
// If the process is owned by another user, request SeDebugPrivilege to open it.
// Debug privileges are typically granted to Administrators.
static int enable_debug_privileges() {
    HANDLE hToken;
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) {
        if (!ImpersonateSelf(SecurityImpersonation) ||
            !OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) {
            return 0;
        }
    }

    LUID luid;
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
        return 0;
    }

    TOKEN_PRIVILEGES tp;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    BOOL success = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
    CloseHandle(hToken);
    return success ? 1 : 0;
}
Exemplo n.º 18
0
static void SetTokenObjectIntegrityLevel(DWORD dwIntegrityLevel)
{
    SID_IDENTIFIER_AUTHORITY Sia = SECURITY_MANDATORY_LABEL_AUTHORITY;
    SECURITY_DESCRIPTOR sd;
    HANDLE hToken;
    DWORD dwLength;
    PACL pAcl;
    PSID pSid;

    // Do nothing on OSes where mandatory ACEs are not supported
    if(pfnAddMandatoryAce == NULL)
        return;

    // Initialize blank security descriptor
    if(!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
        return;

    // Allocate mandatory label SID
    if(!AllocateAndInitializeSid(&Sia, 1, dwIntegrityLevel, 0, 0, 0, 0, 0, 0, 0, &pSid))
        return;

    // Open current token
    if(!OpenThreadToken(GetCurrentThread(), WRITE_OWNER, TRUE, &hToken))
    {
        if(GetLastError() == ERROR_NO_TOKEN)
            OpenProcessToken(GetCurrentProcess(), WRITE_OWNER, &hToken);
    }
    
    // If succeeded, set the integrity level
    if(hToken != NULL)
    {
        // Create ACL
        dwLength = sizeof(ACL) + sizeof(SYSTEM_MANDATORY_LABEL_ACE) - sizeof(DWORD) + GetLengthSid(pSid);
        pAcl = (PACL)HeapAlloc(g_hHeap, 0, dwLength);
        if(pAcl != NULL)
        {
            if(InitializeAcl(pAcl, dwLength, ACL_REVISION))
            {
                if(pfnAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, pSid))
                {
                    NtSetSecurityObject(hToken, LABEL_SECURITY_INFORMATION, &sd);
                }
            }

            HeapFree(g_hHeap, 0, pAcl);
        }
    }

    FreeSid(pSid);
}
Exemplo n.º 19
0
QString DiagnosticsDialog::getUserRights() const
{
	SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
	PSID AdministratorsGroup = NULL;
	HANDLE hToken = NULL;
	DWORD dwIndex, dwLength = 0;
	PTOKEN_GROUPS pGroup = NULL;
	QString rights = tr( "User" );

	if ( !OpenThreadToken( GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken ) )
	{
		if ( GetLastError() != ERROR_NO_TOKEN )
			return tr( "Unknown - error %1" ).arg( GetLastError() );
		if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &hToken ) )
			return tr( "Unknown - error %1" ).arg( GetLastError() );
	}
	if ( !GetTokenInformation( hToken, TokenGroups, NULL, dwLength, &dwLength ) )
	{
		if( GetLastError() != ERROR_INSUFFICIENT_BUFFER )
			return tr( "Unknown - error %1" ).arg( GetLastError() );
	}
	pGroup = (PTOKEN_GROUPS)GlobalAlloc( GPTR, dwLength );

	if ( !GetTokenInformation( hToken, TokenGroups, pGroup, dwLength, &dwLength ) )
	{
		if ( pGroup )
			GlobalFree( pGroup );
		return tr( "Unknown - error %1" ).arg( GetLastError() );;
	}

	if( AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
									0, 0, 0, 0, 0, 0, &AdministratorsGroup ) )
	{
		for ( dwIndex = 0; dwIndex < pGroup->GroupCount; dwIndex++ )
		{
			if ( EqualSid( AdministratorsGroup, pGroup->Groups[dwIndex].Sid ) )
			{
				rights = tr( "Administrator" );
				break;
			}
		}
	}

	if ( AdministratorsGroup )
		FreeSid( AdministratorsGroup );
	if ( pGroup )
		GlobalFree( pGroup );
	
	return rights;
}
Exemplo n.º 20
0
/*
This function is still a proof of concept, it's probably rife with bugs, below
is a short (and incomplete) todo
 * "Basic" checks (Read/Write/File/Dir) checks for FAT32 filesystems which
   requires detecting the filesystem being used.
*/
void Check(fs::path const& file, acs::Type type) {
	DWORD file_attr = GetFileAttributes(file.c_str());
	if ((file_attr & INVALID_FILE_ATTRIBUTES) == INVALID_FILE_ATTRIBUTES) {
		switch (GetLastError()) {
			case ERROR_FILE_NOT_FOUND:
			case ERROR_PATH_NOT_FOUND:
				throw fs::FileNotFound(file);
			case ERROR_ACCESS_DENIED:
				throw fs::ReadDenied(file);
			default:
				throw fs::FileSystemUnknownError(str(boost::format("Unexpected error when getting attributes for \"%s\": %s") % file % util::ErrorString(GetLastError())));
		}
	}

	switch (type) {
		case FileRead:
		case FileWrite:
			if ((file_attr & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY)
				throw fs::NotAFile(file);
			break;
		case DirRead:
		case DirWrite:
			if ((file_attr & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
				throw fs::NotADirectory(file);
			break;
	}

	SECURITY_INFORMATION info = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION;
	DWORD len = 0;
	GetFileSecurity(file.c_str(), info, nullptr, 0, &len);
	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
		LOG_W("acs/check") << "GetFileSecurity: fatal: " << util::ErrorString(GetLastError());

	std::vector<uint8_t> sd_buff(len);
	SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&sd_buff[0];

	if (!GetFileSecurity(file.c_str(), info, sd, len, &len))
		LOG_W("acs/check") << "GetFileSecurity failed: " << util::ErrorString(GetLastError());

	ImpersonateSelf(SecurityImpersonation);
	HANDLE client_token;
	if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &client_token))
		LOG_W("acs/check") << "OpenThreadToken failed: " << util::ErrorString(GetLastError());

	if (!check_permission(true, sd, client_token))
		throw fs::ReadDenied(file);
	if ((type == DirWrite || type == FileWrite) && !check_permission(false, sd, client_token))
		throw fs::WriteDenied(file);
}
Exemplo n.º 21
0
int SetSeDebug()
{
    HANDLE hToken;
    if(! OpenThreadToken(GetCurrentThread(),
                         TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                         FALSE,
                         &hToken)
                         ){
        if (GetLastError() == ERROR_NO_TOKEN){
            if (!ImpersonateSelf(SecurityImpersonation)){
                CloseHandle(hToken);
                return 0;
            }
            if (!OpenThreadToken(GetCurrentThread(),
                                 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                                 FALSE,
                                 &hToken)
                                 ){
                RevertToSelf();
                CloseHandle(hToken);
                return 0;
            }
        }
    }

    // enable SeDebugPrivilege (open any process)
    if (! SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)){
        RevertToSelf();
        CloseHandle(hToken);
        return 0;
    }

    RevertToSelf();
    CloseHandle(hToken);
    return 1;
}
Exemplo n.º 22
0
/*
* SftListThreadPriv
*
* Purpose:
*
* Test unit for thread elevation check.
*
*/
VOID SftListThreadPriv(
	VOID
	)
{
	DWORD              dwLen;
	bool               bRes;
	HANDLE             hToken;
	BYTE               *Buffer;
	TOKEN_PRIVILEGES   *pPrivs;
	WCHAR              text[MAX_PATH];

	if (!OpenThreadToken(NtCurrentThread(), TOKEN_QUERY, FALSE, &hToken))
		return;

	dwLen = 0;
	bRes = GetTokenInformation(
		hToken,
		TokenPrivileges,
		NULL,
		0,
		&dwLen
		);

	Buffer = LocalAlloc(LPTR, dwLen);
	if (Buffer) {

		bRes = GetTokenInformation(
			hToken,
			TokenPrivileges,
			Buffer,
			dwLen,
			&dwLen
			);

		pPrivs = (TOKEN_PRIVILEGES*)Buffer;
		for (DWORD i = 0; i < pPrivs->PrivilegeCount; i++) {
			if (pPrivs->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED) {
				text[0] = 0;
				ultostr(pPrivs->Privileges[i].Luid.LowPart, text);
				_strcat(text, TEXT("\r\n"));
				OutputDebugString(text);
			}
		}
		LocalFree(Buffer);
	}
	CloseHandle(hToken);
}
Exemplo n.º 23
0
static BOOL
AuthzpInitUnderImpersonation(IN OUT PAUTHZ_RESMAN ResMan)
{
    HANDLE hToken;
    BOOL Ret;

    Ret = OpenThreadToken(GetCurrentThread(),
                          TOKEN_QUERY,
                          TRUE,
                          &hToken);
    if (Ret)
    {
        Ret = AuthzpQueryToken(ResMan,
                               hToken);
        CloseHandle(hToken);
    }

    return Ret;
}
Exemplo n.º 24
0
Arquivo: srv.cpp Projeto: Junch/debug
HANDLE CServer::GetToken()
{
    HANDLE hHandle = GetCurrentThread();
    HANDLE hToken = INVALID_HANDLE_VALUE;
    BOOL bRet = OpenThreadToken ( hHandle,
                                  TOKEN_READ,
                                  TRUE,
                                  &hToken
                                  );
    if(bRet==FALSE)
    {
        hHandle = GetCurrentProcess();
        bRet=OpenProcessToken(hHandle,
                              TOKEN_READ,
                              &hToken
                              );
    }
    return hToken;
}
Exemplo n.º 25
0
/**
 * RevertToPrinterSelf reverts the security context from the current user's context back to the process context.
 * As spoolss.dll is used by spoolsv.exe, this is usually the SYSTEM security context.
 *
 * Unlike the traditional ImpersonateClient and then RevertToSelf approach, we do it the other way round here,
 * because spoolss.dll is delay-loaded by spoolsv.exe in the current user's context. Use RevertToPrinterSelf then to
 * return to the SYSTEM context for specific tasks.
 */
HANDLE WINAPI
RevertToPrinterSelf(VOID)
{
    DWORD dwErrorCode;
    HANDLE hReturnValue = NULL;
    HANDLE hToken = NULL;

    // All spoolss code is usually called after impersonating the client. In this case, we can retrieve our current thread impersonation token using OpenThreadToken.
    // But in rare occasions, spoolss code is also called from a higher-privileged thread that doesn't impersonate the client. Then we don't get an impersonation token.
    // Anyway, we can't just return nothing in this case, because this is being treated as failure by the caller. So we return the token of the current process.
    // This behaviour is verified with Windows!
    if (OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &hToken))
    {
        // Tell the thread to stop impersonating.
        if (!SetThreadToken(NULL, NULL))
        {
            dwErrorCode = GetLastError();
            ERR("SetThreadToken failed with error %lu!\n", dwErrorCode);
            goto Cleanup;
        }
    }
    else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
    {
        dwErrorCode = GetLastError();
        ERR("OpenProcessToken failed with error %lu!\n", dwErrorCode);
        goto Cleanup;
    }

    // We were successful, return a token!
    dwErrorCode = ERROR_SUCCESS;
    hReturnValue = hToken;

    // Don't let the cleanup routine close this.
    hToken = NULL;

Cleanup:
    if (hToken)
        CloseHandle(hToken);

    SetLastError(dwErrorCode);
    return hReturnValue;
}
Exemplo n.º 26
0
HRESULT COpcSecurity::GetThreadSids(PSID* ppUserSid, PSID* ppGroupSid, BOOL bOpenAsSelf)
{
	BOOL bRes;
	HRESULT hr;
	HANDLE hToken = NULL;
	if (ppUserSid)
		*ppUserSid = NULL;
	if (ppGroupSid)
		*ppGroupSid = NULL;
	bRes = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, bOpenAsSelf, &hToken);
	if (!bRes)
	{
		// Couldn't open thread token
		hr = HRESULT_FROM_WIN32(GetLastError());
		return hr;
	}
	hr = GetTokenSids(hToken, ppUserSid, ppGroupSid);
	CloseHandle(hToken);
	return hr;
}
Exemplo n.º 27
0
gpointer
ves_icall_System_Security_Principal_WindowsIdentity_GetCurrentToken (void)
{
	gpointer token = NULL;

#ifdef HOST_WIN32
	/* Note: This isn't a copy of the Token - we must not close it!!!
	 * http://www.develop.com/kbrown/book/html/whatis_windowsprincipal.html
	 */

	/* thread may be impersonating somebody */
	if (OpenThreadToken (GetCurrentThread (), MAXIMUM_ALLOWED, 1, &token) == 0) {
		/* if not take the process identity */
		OpenProcessToken (GetCurrentProcess (), MAXIMUM_ALLOWED, &token);
	}
#else
	token = GINT_TO_POINTER (geteuid ());
#endif
	return token;
}
Exemplo n.º 28
0
NTSTATUS kuhl_m_token_whoami(int argc, wchar_t * argv[])
{
	HANDLE hToken;
	kprintf(L" * Process Token : ");
	if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
	{
		kuhl_m_token_displayAccount(hToken);
		CloseHandle(hToken);
	}
	else PRINT_ERROR_AUTO(L"OpenProcessToken");

	kprintf(L" * Thread Token  : ");
	if(OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken))
	{
		kuhl_m_token_displayAccount(hToken);
		CloseHandle(hToken);
	}
	else if(GetLastError() == ERROR_NO_TOKEN)
		kprintf(L"no token\n");
	else PRINT_ERROR_AUTO(L"OpenThreadToken");

	return STATUS_SUCCESS;
}
Exemplo n.º 29
0
//-----------------------------------------------------------------------------
// Name: getImpersonationToken()
// Desc: The method acts as a potential workaround for the fact that the 
//       current thread may not have a token assigned to it, and if not, the 
//       process token is received.
//-----------------------------------------------------------------------------
bool KG3DCritDumper::getImpersonationToken( HANDLE* phToken )
{
    *phToken = NULL;

    if( !OpenThreadToken( GetCurrentThread(),
                          TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
                          TRUE,
                          phToken) )
    {
        if( GetLastError() == ERROR_NO_TOKEN )
        {
            // No impersonation token for the current thread is available. 
            // Let's go for the process token instead.
            if( !OpenProcessToken( GetCurrentProcess(),
                                   TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
                                   phToken) )
                return false;
        }
        else
            return false;
    }

    return true;
}
/* setting up/initalizing the connection details */
static int set_connection_details(sspi_auth_ctx* ctx)
{
	SECURITY_STATUS ss;

	if (ctx->scr->username == NULL) {
		ctx->scr->username = get_username_from_context(ctx->r->connection->pool, sspiModuleInfo.functable, 
			&ctx->scr->server_context);
	}

	if (ctx->scr->username == NULL)
		return HTTP_INTERNAL_SERVER_ERROR;
	else
		construct_username(ctx);

	if (ctx->r->user == NULL) {
		ctx->r->user = ctx->scr->username;
		ctx->r->ap_auth_type = ctx->scr->package;
	}

	if (ctx->scr->usertoken == NULL) {
		if ((ss = sspiModuleInfo.functable->ImpersonateSecurityContext(&ctx->scr->server_context)) != SEC_E_OK) {
			return HTTP_INTERNAL_SERVER_ERROR;
		}

		if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY_SOURCE | TOKEN_READ, TRUE, &ctx->scr->usertoken)) {
			sspiModuleInfo.functable->RevertSecurityContext(&ctx->scr->server_context);
			return HTTP_INTERNAL_SERVER_ERROR;
		}

		if ((ss = sspiModuleInfo.functable->RevertSecurityContext(&ctx->scr->server_context)) != SEC_E_OK) {
			return HTTP_INTERNAL_SERVER_ERROR;
		}
	}

	return OK;
}