Skip to content

Commit

Permalink
fix(ipc): add version check for security descriptor initialization
Browse files Browse the repository at this point in the history 
Add an OS version check to prevent failure on older Windows versions,
since ALL APPLICATION PACKAGES principal is first implemented in
Windows 8, and integrity mechanism is first implemented in Windows Vista.

Fixes #157
  • Loading branch information
@Prcuvu
Prcuvu committed Mar 27, 2018
1 parent 28cdd09 commit b97ccff
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 7 deletions.
76 changes: 70 additions & 6 deletions WeaselIPCServer/SecurityAttribute.cpp
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,82 @@
#include "stdafx.h"
#include "SecurityAttribute.h"
#include <Sddl.h>
#include <VersionHelpers.hpp>

#ifndef SDDL_ALL_APP_PACKAGES
#define SDDL_ALL_APP_PACKAGES TEXT("AC")
#endif

#define LOW_INTEGRITY_SDDL_SACL SDDL_SACL \
SDDL_DELIMINATOR \
SDDL_ACE_BEGIN \
SDDL_MANDATORY_LABEL \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_NO_WRITE_UP \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_ML_LOW \
SDDL_ACE_END

#define LOCAL_SYSTEM_FILE_ACCESS SDDL_ACE_BEGIN \
SDDL_ACCESS_ALLOWED \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_FILE_ALL \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_LOCAL_SYSTEM \
SDDL_ACE_END

#define EVERYONE_FILE_ACCESS SDDL_ACE_BEGIN \
SDDL_ACCESS_ALLOWED \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_FILE_ALL \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_EVERYONE \
SDDL_ACE_END

#define ALL_APP_PACKAGES_FILE_ACCESS SDDL_ACE_BEGIN \
SDDL_ACCESS_ALLOWED \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_FILE_ALL \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_SEPERATOR \
SDDL_ALL_APP_PACKAGES \
SDDL_ACE_END

namespace weasel {

void SecurityAttribute::_Init()
{
// Privilages for UWP and IE protected mode
// Privileges for UWP and IE protected mode
// https://stackoverflow.com/questions/39138674/accessing-named-pipe-servers-from-within-ie-epm-bho
ConvertStringSecurityDescriptorToSecurityDescriptorW(
L"S:(ML;;NW;;;LW)D:(A;;FA;;;SY)(A;;FA;;;WD)(A;;FA;;;AC)",
SDDL_REVISION_1,
&pd,
NULL);
if (IsWindowsVistaOrGreater())
{
ConvertStringSecurityDescriptorToSecurityDescriptor(
IsWindows8OrGreater() ? LOW_INTEGRITY_SDDL_SACL
SDDL_DACL
SDDL_DELIMINATOR
LOCAL_SYSTEM_FILE_ACCESS
EVERYONE_FILE_ACCESS
ALL_APP_PACKAGES_FILE_ACCESS
: LOW_INTEGRITY_SDDL_SACL
SDDL_DACL
SDDL_DELIMINATOR
LOCAL_SYSTEM_FILE_ACCESS
EVERYONE_FILE_ACCESS,
SDDL_REVISION_1,
&pd,
NULL);
}

sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pd;
Expand Down
2 changes: 1 addition & 1 deletion WeaselIPCServer/SecurityAttribute.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ namespace weasel {
SECURITY_ATTRIBUTES sa;
void _Init();
public:
SecurityAttribute() { _Init(); }
SecurityAttribute() : pd(NULL) { _Init(); }
SECURITY_ATTRIBUTES *get_attr();
};
};

0 comments on commit b97ccff

Please sign in to comment.