diff --git a/sc-ap/manageUser.cpp b/sc-ap/manageUser.cpp index 017f355..6f1c38f 100755 --- a/sc-ap/manageUser.cpp +++ b/sc-ap/manageUser.cpp @@ -20,6 +20,7 @@ */ #include +#include #include "ldapuser.h" #include "netusergroup.h" #include "utility.h" diff --git a/sc-ap/sspap3.cpp b/sc-ap/sspap3.cpp index ab16ef0..a44e398 100755 --- a/sc-ap/sspap3.cpp +++ b/sc-ap/sspap3.cpp @@ -166,6 +166,19 @@ extern "C" { #endif // ENABLE_DEBUG #endif // ENABLE_LSA_LOG + // Windows XP and Windows Vista/above use two different storage schemes for the user data + OSVERSIONINFO osvi; + BOOL bIsWindowsVistaorLater; + + ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); + osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + + GetVersionEx(&osvi); + + bIsWindowsVistaorLater = + ( (osvi.dwMajorVersion > 6) || + ( (osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion >= 0) )); + KERB_INTERACTIVE_LOGON *ptr = ((KERB_INTERACTIVE_LOGON *)AuthenticationInformation); #ifdef ENABLE_LSA_LOG @@ -195,9 +208,18 @@ extern "C" { LPWSTR password = (LPWSTR) calloc( ptr->Password.Length + 1, sizeof(wchar_t)); if (userName && domain) { - memcpy( userName, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->UserName.Buffer)), ptr->UserName.Length); - memcpy( domain, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->LogonDomainName.Buffer)), ptr->LogonDomainName.Length); - memcpy( password, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->Password.Buffer)), ptr->Password.Length); + if (bIsWindowsVistaorLater) { + // Windows Vista or later + memcpy( userName, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->UserName.Buffer)), ptr->UserName.Length); + memcpy( domain, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->LogonDomainName.Buffer)), ptr->LogonDomainName.Length); + memcpy( password, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->Password.Buffer)), ptr->Password.Length); + } + else { + // Windows XP or earlier + wcsncpy( userName, (wchar_t *) ((char *) ptr + ((char *)ptr->UserName.Buffer - (char *) ClientAuthenticationBase)), ptr->UserName.Length / 2); + wcsncpy( domain, (wchar_t *) ((char *) ptr + ((char *)ptr->LogonDomainName.Buffer - (char *) ClientAuthenticationBase)), ptr->LogonDomainName.Length / 2); + //wcsncpy( password, (wchar_t *) ((char *) ptr + ((char *)ptr->Password.Buffer - (char *) ClientAuthenticationBase)), ptr->Password.Length / 2); + } userName[ptr->UserName.Length] = L'\0'; domain[ptr->LogonDomainName.Length] = L'\0'; diff --git a/sc-ap/sspap3.sln b/sc-ap/sspap3.sln index 51074dd..8d434c8 100755 --- a/sc-ap/sspap3.sln +++ b/sc-ap/sspap3.sln @@ -1,17 +1,23 @@ -Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio 2012 +Microsoft Visual Studio Solution File, Format Version 11.00 +# Visual Studio 2010 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sspap3", "sspap3.vcxproj", "{EA164A0F-6361-40D6-B356-B6E16EB9FA15}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sspap3registrypermissions", "..\sspap3registrypermissions\sspap3registrypermissions.vcxproj", "{9BCBC2A2-62A2-4613-B61F-E7477CE0A487}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 Release|Win32 = Release|Win32 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution - {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug|Win32.ActiveCfg = Debug|Win32 - {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug|Win32.Build.0 = Debug|Win32 + {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug|Win32.ActiveCfg = Release|Win32 + {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug|Win32.Build.0 = Release|Win32 {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Release|Win32.ActiveCfg = Release|Win32 {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Release|Win32.Build.0 = Release|Win32 + {9BCBC2A2-62A2-4613-B61F-E7477CE0A487}.Debug|Win32.ActiveCfg = Release|Win32 + {9BCBC2A2-62A2-4613-B61F-E7477CE0A487}.Debug|Win32.Build.0 = Release|Win32 + {9BCBC2A2-62A2-4613-B61F-E7477CE0A487}.Release|Win32.ActiveCfg = Release|Win32 + {9BCBC2A2-62A2-4613-B61F-E7477CE0A487}.Release|Win32.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/setup/scap_roaming_profiles.reg b/setup/scap_roaming_profiles.reg index 997c518..32d2581 100755 Binary files a/setup/scap_roaming_profiles.reg and b/setup/scap_roaming_profiles.reg differ diff --git a/sspap3registrypermissions/sspap3registrypermissions.cpp b/sspap3registrypermissions/sspap3registrypermissions.cpp new file mode 100755 index 0000000..5c7d239 --- /dev/null +++ b/sspap3registrypermissions/sspap3registrypermissions.cpp @@ -0,0 +1,295 @@ +// sspap3registrypermissions.cpp : Defines the entry point for the console application. +// + +#include "stdafx.h" +#include +#include +#include + +#define RTN_OK 0 +#define RTN_ERROR 13 + +void +DisplayWinError( + LPSTR szAPI, // pointer to Ansi function name + DWORD dwError // DWORD WinError + ); + + +int _tmain(int argc, _TCHAR* argv[]) +{ + SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY; + PSID pRestrictedSid = NULL; + PSID pSystemSid = NULL; + PSID pAdministratorsSid = NULL; + PSID pEveryoneSid = NULL; + SECURITY_DESCRIPTOR sd; + PACL pDacl = NULL; + DWORD dwAclSize; + DWORD sidSize; + HKEY hKey; + LONG lRetCode; + BOOL bSuccess = FALSE; // assume this function fails + + // + // open the performance key for WRITE_DAC access + // + lRetCode = RegOpenKeyEx( + HKEY_CURRENT_USER, + TEXT(""), + 0, + WRITE_DAC, + &hKey + ); + + if(lRetCode != ERROR_SUCCESS) { + DisplayWinError("RegOpenKeyEx", lRetCode); + return RTN_ERROR; + } + + // + // prepare a Sid representing the Restricted user + // + if(!AllocateAndInitializeSid( + &sia, + 1, + SECURITY_RESTRICTED_CODE_RID, + 0, 0, 0, 0, 0, 0, 0, + &pRestrictedSid + )) { + DisplayWinError("AllocateAndInitializeSid SECURITY_RESTRICTED_CODE_RID", GetLastError()); + goto cleanup; + } + + // + // prepare a Sid representing the System user + // + if(!AllocateAndInitializeSid( + &sia, + 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, 0, 0, 0, 0, 0, 0, + &pSystemSid + )) { + DisplayWinError("AllocateAndInitializeSid SECURITY_LOCAL_SYSTEM_RID", GetLastError()); + goto cleanup; + } + + // + // prepare a Sid representing any administrator + // + pAdministratorsSid = (PSID)HeapAlloc(GetProcessHeap(), 0, SECURITY_MAX_SID_SIZE); + if(pAdministratorsSid == NULL) goto cleanup; + if(!CreateWellKnownSid( + WinBuiltinAdministratorsSid, + NULL, + pAdministratorsSid, + &sidSize + )) { + DisplayWinError("CreateWellKnownSid WinBuiltinAdministratorsSid", GetLastError()); + goto cleanup; + } + + // + // prepare a Sid representing any user + // + pEveryoneSid = (PSID)HeapAlloc(GetProcessHeap(), 0, SECURITY_MAX_SID_SIZE); + if(pEveryoneSid == NULL) goto cleanup; + if(!CreateWellKnownSid( + WinWorldSid, + NULL, + pEveryoneSid, + &sidSize + )) { + DisplayWinError("CreateWellKnownSid WinWorldSid", GetLastError()); + goto cleanup; + } + + // + // compute size of new acl + // + dwAclSize = sizeof(ACL) + + 4 * ( sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) ) + + GetLengthSid(pRestrictedSid) + + GetLengthSid(pSystemSid) + + GetLengthSid(pAdministratorsSid) + + GetLengthSid(pEveryoneSid) ; + + // + // allocate storage for Acl + // + pDacl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwAclSize); + if(pDacl == NULL) goto cleanup; + + if(!InitializeAcl(pDacl, dwAclSize, ACL_REVISION)) { + DisplayWinError("InitializeAcl", GetLastError()); + goto cleanup; + } + + // + // grant the Restricted Sid KEY_READ access to the perf key + // + if(!AddAccessAllowedAceEx( + pDacl, + ACL_REVISION, + CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + KEY_READ, + pRestrictedSid + )) { + DisplayWinError("AddAccessAllowedAce", GetLastError()); + goto cleanup; + } + + // + // grant the System Sid KEY_ALL_ACCESS access to the perf key + // + if(!AddAccessAllowedAceEx( + pDacl, + ACL_REVISION, + CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + KEY_ALL_ACCESS, + pSystemSid + )) { + DisplayWinError("AddAccessAllowedAce", GetLastError()); + goto cleanup; + } + + // + // grant the Administrators Sid KEY_ALL_ACCESS access to the perf key + // + if(!AddAccessAllowedAceEx( + pDacl, + ACL_REVISION, + CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + KEY_ALL_ACCESS, + pAdministratorsSid + )) { + DisplayWinError("AddAccessAllowedAce", GetLastError()); + goto cleanup; + } + + // + // grant the Everyone Sid KEY_ALL_ACCESS access to the perf key + // + if(!AddAccessAllowedAceEx( + pDacl, + ACL_REVISION, + CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + KEY_ALL_ACCESS, + pEveryoneSid + )) { + DisplayWinError("AddAccessAllowedAce", GetLastError()); + goto cleanup; + } + + if(!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) { + DisplayWinError("InitializeSecurityDescriptor", GetLastError()); + goto cleanup; + } + +/* if(!SetSecurityDescriptorDacl(&sd, TRUE, pDacl, FALSE)) { + DisplayWinError("SetSecurityDescriptorDacl", GetLastError()); + goto cleanup; + }*/ + + // + // Unlike SetSecurityDescriptorDacl, SetNamedSecurityInfo propogates inheritance to subkeys + // See http://comments.gmane.org/gmane.comp.python.windows/10609 + // + if(!SetNamedSecurityInfo(L"CURRENT_USER", SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL)) { + DisplayWinError("SetNamedSecurityInfo", GetLastError()); + goto cleanup; + } + + // + // apply the security descriptor to the registry key + // + lRetCode = RegSetKeySecurity( + hKey, + (SECURITY_INFORMATION)DACL_SECURITY_INFORMATION, + &sd + ); + + if(lRetCode != ERROR_SUCCESS) { + DisplayWinError("RegSetKeySecurity", lRetCode); + goto cleanup; + } + + bSuccess = TRUE; // indicate success + +cleanup: + + RegCloseKey(hKey); + RegCloseKey(HKEY_LOCAL_MACHINE); + + // + // free allocated resources + // + if(pDacl != NULL) + HeapFree(GetProcessHeap(), 0, pDacl); + + if(pRestrictedSid != NULL) + FreeSid(pRestrictedSid); + + if(pSystemSid != NULL) + FreeSid(pSystemSid); + + if(pAdministratorsSid != NULL) + FreeSid(pAdministratorsSid); + + if(pEveryoneSid != NULL) + FreeSid(pEveryoneSid); + + if(bSuccess) { + printf("SUCCESS updating user hive security\n"); + return RTN_OK; + } else { + printf("ERROR updating user hive security\n"); + return RTN_ERROR; + } +} + +void +DisplayWinError( + LPSTR szAPI, // pointer to Ansi function name + DWORD dwError // DWORD WinError + ) +{ + LPSTR MessageBuffer; + DWORD dwBufferLength; + + // + // TODO get this fprintf out of here! + // + fprintf(stderr,"%s error!\n", szAPI); + + if(dwBufferLength=FormatMessageA( + FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM, + NULL, + dwError, + MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), + (LPSTR) &MessageBuffer, + 0, + NULL + )) + { + DWORD dwBytesWritten; // unused + + // + // Output message string on stderr + // + WriteFile( + GetStdHandle(STD_ERROR_HANDLE), + MessageBuffer, + dwBufferLength, + &dwBytesWritten, + NULL + ); + + // + // free the buffer allocated by the system + // + LocalFree(MessageBuffer); + } +} diff --git a/sspap3registrypermissions/sspap3registrypermissions.vcxproj b/sspap3registrypermissions/sspap3registrypermissions.vcxproj new file mode 100755 index 0000000..f86e7eb --- /dev/null +++ b/sspap3registrypermissions/sspap3registrypermissions.vcxproj @@ -0,0 +1,94 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + + {9BCBC2A2-62A2-4613-B61F-E7477CE0A487} + Win32Proj + sspap3registrypermissions + + + + Application + true + v110 + Unicode + + + Application + false + true + Unicode + + + + + + + + + + + + + true + + + false + + + + Use + Level3 + Disabled + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + Use + MaxSpeed + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + + + + + Create + Create + + + + + + \ No newline at end of file diff --git a/sspap3registrypermissions/sspap3registrypermissions.vcxproj.filters b/sspap3registrypermissions/sspap3registrypermissions.vcxproj.filters new file mode 100755 index 0000000..a063d2e --- /dev/null +++ b/sspap3registrypermissions/sspap3registrypermissions.vcxproj.filters @@ -0,0 +1,36 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + + + + Header Files + + + Header Files + + + + + Source Files + + + Source Files + + + \ No newline at end of file diff --git a/sspap3registrypermissions/sspap3registrypermissions.vcxproj.user b/sspap3registrypermissions/sspap3registrypermissions.vcxproj.user new file mode 100755 index 0000000..695b5c7 --- /dev/null +++ b/sspap3registrypermissions/sspap3registrypermissions.vcxproj.user @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/sspap3registrypermissions/stdafx.cpp b/sspap3registrypermissions/stdafx.cpp new file mode 100755 index 0000000..81d6fb6 --- /dev/null +++ b/sspap3registrypermissions/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// sspap3registrypermissions.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/sspap3registrypermissions/stdafx.h b/sspap3registrypermissions/stdafx.h new file mode 100755 index 0000000..47a0d02 --- /dev/null +++ b/sspap3registrypermissions/stdafx.h @@ -0,0 +1,15 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include +#include + + + +// TODO: reference additional headers your program requires here diff --git a/sspap3registrypermissions/targetver.h b/sspap3registrypermissions/targetver.h new file mode 100755 index 0000000..90e767b --- /dev/null +++ b/sspap3registrypermissions/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include