VirtualBox

Changeset 14409 in vbox for trunk/src/VBox/Additions/WINNT


Ignore:
Timestamp:
Nov 20, 2008 1:19:20 PM (16 years ago)
Author:
vboxsync
Message:

Windows Guest Additions: VBoxService:

  • Fixes CR6768927 (Users logged into windows directly via RDP are not accounted for in vbox guest properties).
  • Added security checks for copied buffers.
  • Added some more logging.
Location:
trunk/src/VBox/Additions/WINNT/VBoxService
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/VBox/Additions/WINNT/VBoxService/VBoxVMInfoUser.cpp

    r13462 r14409  
    151151    BOOL bFoundUser = FALSE;
    152152    PSECURITY_LOGON_SESSION_DATA sessionData = NULL;
    153     NTSTATUS ret = 0;
    154     WCHAR szAuthPkg[256] = { 0 };
    155     WCHAR szLogonDomain[256] = { 0 };
     153    NTSTATUS r = 0;
    156154    WCHAR *usBuffer = NULL;
    157     int usLength = 0;
     155    int iLength = 0;
    158156
    159157    if (!a_pSession)
    160158        return FALSE;
    161159
    162     ret = LsaGetLogonSessionData (a_pSession, &sessionData);
    163     if (ret != STATUS_SUCCESS)
    164     {
    165         Log(("vboxVMInfoThread: LsaGetLogonSessionData failed %lu\n", LsaNtStatusToWinError(ret)));
     160    r = LsaGetLogonSessionData (a_pSession, &sessionData);
     161    if (r != STATUS_SUCCESS)
     162    {
     163        Log(("vboxVMInfoThread: Users: LsaGetLogonSessionData failed %lu\n", LsaNtStatusToWinError(r)));
    166164
    167165        if (sessionData)
     
    173171    if (!sessionData)
    174172    {
    175         Log(("vboxVMInfoThread: Invalid logon session data.\n"));
     173        Log(("vboxVMInfoThread: Users: Invalid logon session data.\n"));
    176174        return FALSE;
    177175    }
     176
     177    Log(("vboxVMInfoThread: Users: Session data: Name = %ls, Len = %d, SID = %s, LogonID = %d,%d\n",
     178        (sessionData->UserName).Buffer, (sessionData->UserName).Length, (sessionData->Sid != NULL) ? "1" : "0", sessionData->LogonId.HighPart, sessionData->LogonId.LowPart));
    178179
    179180    if ((sessionData->UserName.Buffer != NULL) &&
     
    183184        /* Get the user name. */
    184185        usBuffer = (sessionData->UserName).Buffer;
    185         usLength = (sessionData->UserName).Length;
    186         if (usLength > 256)
    187         {
    188             Log(("vboxVMInfoThread: User name too long for buffer! Length: %d, Buffer: 256\n", usLength));
    189         }
    190         else
    191         {
    192             /** @todo r=bird: Check this code for buffer overruns. the if check above is wrong as it's making assumptions about _MAX_PATH (which is 260 not 256 as stated). */
    193             wcsncpy (a_pUserInfo->szUser, usBuffer, usLength);
    194             wcscat (a_pUserInfo->szUser, L"");
    195 
    196             usBuffer = (sessionData->AuthenticationPackage).Buffer;
    197             usLength = (sessionData->AuthenticationPackage).Length;
    198             wcsncpy (szAuthPkg, usBuffer, usLength);
    199             wcscat (szAuthPkg, L"");
    200 
    201             usBuffer = (sessionData->LogonDomain).Buffer;
    202             usLength = (sessionData->LogonDomain).Length;
    203             wcsncpy (szLogonDomain, usBuffer, usLength);
    204             wcscat (szLogonDomain, L""); /** @todo r=bird: There is a potential buffer overrun here. */
    205 
    206             /* Only handle users which can login interactively. */
    207             if (    ((SECURITY_LOGON_TYPE)sessionData->LogonType == Interactive)
    208                  && (sessionData->Sid != NULL))
     186        iLength = (sessionData->UserName).Length;
     187        if (iLength > sizeof(a_pUserInfo->szUser) - sizeof(TCHAR))   /* -sizeof(TCHAR) because we have to add the terminating null char at the end later. */
     188        {
     189            LogRel(("vboxVMInfoThread: Users: User name too long (%d bytes) for buffer! Name will be truncated.\n", iLength));
     190            iLength = sizeof(a_pUserInfo->szUser) - sizeof(TCHAR);
     191        }
     192        wcsncpy (a_pUserInfo->szUser, usBuffer, iLength);
     193        wcscat (a_pUserInfo->szUser, L"");      /* Add terminating null char. */
     194
     195        /* Get authentication package. */
     196        usBuffer = (sessionData->AuthenticationPackage).Buffer;
     197        iLength = (sessionData->AuthenticationPackage).Length;
     198        if (iLength > sizeof(a_pUserInfo->szAuthenticationPackage) - sizeof(TCHAR))   /* -sizeof(TCHAR) because we have to add the terminating null char at the end later. */
     199        {
     200            LogRel(("vboxVMInfoThread: Users: Authentication pkg name too long (%d bytes) for buffer! Name will be truncated.\n", iLength));
     201            iLength = sizeof(a_pUserInfo->szAuthenticationPackage) - sizeof(TCHAR);
     202        }
     203        wcsncpy (a_pUserInfo->szAuthenticationPackage, usBuffer, iLength);
     204        wcscat (a_pUserInfo->szAuthenticationPackage, L"");     /* Add terminating null char. */
     205
     206        /* Get logon domain. */
     207        usBuffer = (sessionData->LogonDomain).Buffer;
     208        iLength = (sessionData->LogonDomain).Length;
     209        if (iLength > sizeof(a_pUserInfo->szLogonDomain) - sizeof(TCHAR))   /* -sizeof(TCHAR) because we have to add the terminating null char at the end later. */
     210        {
     211            LogRel(("vboxVMInfoThread: Users: Logon domain name too long (%d bytes) for buffer! Name will be truncated.\n", iLength));
     212            iLength = sizeof(a_pUserInfo->szLogonDomain) - sizeof(TCHAR);
     213        }
     214        wcsncpy (a_pUserInfo->szLogonDomain, usBuffer, iLength);
     215        wcscat (a_pUserInfo->szLogonDomain, L"");       /* Add terminating null char. */
     216
     217        /* Only handle users which can login interactively or logged in remotely over native RDP. */
     218        if (   (((SECURITY_LOGON_TYPE)sessionData->LogonType == Interactive)
     219             || ((SECURITY_LOGON_TYPE)sessionData->LogonType == RemoteInteractive))
     220             && (sessionData->Sid != NULL))
     221        {
     222            TCHAR szOwnerName [_MAX_PATH] = { 0 };
     223            DWORD dwOwnerNameSize = _MAX_PATH;
     224
     225            TCHAR szDomainName [_MAX_PATH] = { 0 };
     226            DWORD dwDomainNameSize = _MAX_PATH;
     227
     228            SID_NAME_USE ownerType;
     229
     230            if (LookupAccountSid(NULL,
     231                                 sessionData->Sid,
     232                                 szOwnerName,
     233                                 &dwOwnerNameSize,
     234                                 szDomainName,
     235                                 &dwDomainNameSize,
     236                                 &ownerType))
    209237            {
    210                 TCHAR szOwnerName [_MAX_PATH] = { 0 };
    211                 DWORD dwOwnerNameSize = _MAX_PATH;
    212 
    213                 TCHAR szDomainName [_MAX_PATH] = { 0 };
    214                 DWORD dwDomainNameSize = _MAX_PATH;
    215 
    216                 SID_NAME_USE ownerType;
    217 
    218                 if (LookupAccountSid(NULL,
    219                                      sessionData->Sid,
    220                                      szOwnerName,
    221                                      &dwOwnerNameSize,
    222                                      szDomainName,
    223                                      &dwDomainNameSize,
    224                                      &ownerType))
     238                Log(("vboxVMInfoThread: Users: Account User=%ls, Session=%ld, LUID=%ld,%ld, AuthPkg=%ls, Domain=%ls\n",
     239                     a_pUserInfo->szUser, sessionData->Session, sessionData->LogonId.HighPart, sessionData->LogonId.LowPart, a_pUserInfo->szAuthenticationPackage, a_pUserInfo->szLogonDomain));
     240
     241                /* The session ID increments/decrements on Vista often! So don't compare
     242                   the session data SID with the current SID here. */
     243                DWORD dwActiveSession = 0;
     244                if (a_pCtx->pfnWTSGetActiveConsoleSessionId != NULL)            /* Check terminal session ID. */
     245                    dwActiveSession = a_pCtx->pfnWTSGetActiveConsoleSessionId();
     246
     247                /*Log(("vboxVMInfoThread: Users: Current active session ID: %ld\n", dwActiveSession));*/
     248
     249                if (SidTypeUser == ownerType)
    225250                {
    226                     Log(("vboxVMInfoThread: Account User=%ls, Session=%ld, LUID=%ld,%ld, AuthPkg=%ls, Domain=%ls\n",
    227                          a_pUserInfo->szUser, sessionData->Session, sessionData->LogonId.HighPart, sessionData->LogonId.LowPart, szAuthPkg, szLogonDomain));
    228 
    229                     /* The session ID increments/decrements on Vista often! So don't compare
    230                        the session data SID with the current SID here. */
    231                     DWORD dwActiveSession = 0;
    232                     if (a_pCtx->pfnWTSGetActiveConsoleSessionId != NULL)            /* Check terminal session ID. */
    233                         dwActiveSession = a_pCtx->pfnWTSGetActiveConsoleSessionId();
    234 
    235                     /*Log(("vboxVMInfoThread: Current active session ID: %ld\n", dwActiveSession));*/
    236 
    237                     if (SidTypeUser == ownerType)
     251                    LPWSTR pBuffer = NULL;
     252                    DWORD dwBytesRet = 0;
     253                    int iState = 0;
     254
     255                    if (WTSQuerySessionInformation(     /* Detect RDP sessions as well. */
     256                        WTS_CURRENT_SERVER_HANDLE,
     257                        WTS_CURRENT_SESSION,
     258                        WTSConnectState,
     259                        &pBuffer,
     260                        &dwBytesRet))
    238261                    {
    239                         LPWSTR pBuffer = NULL;
    240                         DWORD dwBytesRet = 0;
    241                         int iState = 0;
    242 
    243                         if (WTSQuerySessionInformation(     /* Detect RDP sessions as well. */
    244                             WTS_CURRENT_SERVER_HANDLE,
    245                             WTS_CURRENT_SESSION,
    246                             WTSConnectState,
    247                             &pBuffer,
    248                             &dwBytesRet))
     262                        /*Log(("vboxVMInfoThread: Users: WTSQuerySessionInformation returned %ld bytes, p=%p, state=%d\n", dwBytesRet, pBuffer, pBuffer != NULL ? (INT)*pBuffer : -1));*/
     263                        if(dwBytesRet)
     264                            iState = *pBuffer;
     265
     266                        if (    (iState == WTSActive)           /* User logged on to WinStation. */
     267                             || (iState == WTSShadow)           /* Shadowing another WinStation. */
     268                             || (iState == WTSDisconnected))    /* WinStation logged on without client. */
    249269                        {
    250                             /*Log(("vboxVMInfoThread: WTSQuerySessionInformation returned %ld bytes, p=%p, state=%d\n", dwBytesRet, pBuffer, pBuffer != NULL ? (INT)*pBuffer : -1));*/
    251                             if(dwBytesRet)
    252                                 iState = *pBuffer;
    253 
    254                             if (    (iState == WTSActive)           /* User logged on to WinStation. */
    255                                  || (iState == WTSShadow)           /* Shadowing another WinStation. */
    256                                  || (iState == WTSDisconnected))    /* WinStation logged on without client. */
    257                             {
    258                                 /** @todo On Vista and W2K, always "old" user name are still there. Filter out the old! */
    259                                 Log(("vboxVMInfoThread: Account User=%ls is logged in via TCS/RDP. State=%d\n", a_pUserInfo->szUser, iState));
    260                                 bFoundUser = TRUE;
    261                             }
    262                         }
    263                         else
    264                         {
    265                             /* Terminal services don't run (for example in W2K, nothing to worry about ...). */
    266                             /* ... or is on Vista fast user switching page! */
     270                            /** @todo On Vista and W2K, always "old" user name are still there. Filter out the old! */
     271                            Log(("vboxVMInfoThread: Users: Account User=%ls is logged in via TCS/RDP. State=%d\n", a_pUserInfo->szUser, iState));
    267272                            bFoundUser = TRUE;
    268273                        }
    269 
    270                         if (pBuffer)
    271                             WTSFreeMemory(pBuffer);
    272 
    273                         /* A user logged in, but it could be a stale/orphaned logon session. */
    274                         BOOL bFoundInLUIDs = FALSE;
    275                         for (DWORD dwIndex = 0; dwIndex < a_dwNumOfProcLUIDs; dwIndex++)
     274                    }
     275                    else
     276                    {
     277                        /* Terminal services don't run (for example in W2K, nothing to worry about ...). */
     278                        /* ... or is on Vista fast user switching page! */
     279                        bFoundUser = TRUE;
     280                    }
     281
     282                    if (pBuffer)
     283                        WTSFreeMemory(pBuffer);
     284
     285                    /* A user logged in, but it could be a stale/orphaned logon session. */
     286                    BOOL bFoundInLUIDs = FALSE;
     287                    for (DWORD dwIndex = 0; dwIndex < a_dwNumOfProcLUIDs; dwIndex++)
     288                    {
     289                        if (   (a_pLuid[dwIndex].HighPart == sessionData->LogonId.HighPart)
     290                            && (a_pLuid[dwIndex].LowPart == sessionData->LogonId.LowPart))
    276291                        {
    277                             if (   (a_pLuid[dwIndex].HighPart == sessionData->LogonId.HighPart)
    278                                 && (a_pLuid[dwIndex].LowPart == sessionData->LogonId.LowPart))
    279                             {
    280                                 bLoggedIn = TRUE;
    281                                 Log(("vboxVMInfoThread: User \"%ls\" is logged in!\n", a_pUserInfo->szUser));
    282                                 break;
    283                             }
     292                            bLoggedIn = TRUE;
     293                            Log(("vboxVMInfoThread: Users: User \"%ls\" is logged in!\n", a_pUserInfo->szUser));
     294                            break;
    284295                        }
    285296                    }
     
    297308    PLUID pSessions = NULL;
    298309    ULONG ulCount = 0;
    299     NTSTATUS ret = 0;
     310    NTSTATUS r = 0;
    300311
    301312    int iUserCount = 0;
     
    305316    /* This function can report stale or orphaned interactive logon sessions of already logged
    306317       off users (especially in Windows 2000). */
    307     ret = LsaEnumerateLogonSessions(&ulCount, &pSessions);
    308     Log(("vboxVMInfoThread: Found %d users.\n", ulCount));
    309 
    310     if (ret != STATUS_SUCCESS)
    311     {
    312         Log(("vboxVMInfoThread: LsaEnumerate failed %lu\n", LsaNtStatusToWinError(ret)));
     318    r = LsaEnumerateLogonSessions(&ulCount, &pSessions);
     319    Log(("vboxVMInfoThread: Users: Found %d users.\n", ulCount));
     320
     321    if (r != STATUS_SUCCESS)
     322    {
     323        Log(("vboxVMInfoThread: Users: LsaEnumerate failed %lu\n", LsaNtStatusToWinError(r)));
    313324        return 1;
    314325    }
     
    356367    a_pCtx->cUsers = iUserCount;
    357368
    358     return ret;
     369    return r;
    359370}
    360371
  • trunk/src/VBox/Additions/WINNT/VBoxService/VBoxVMInfoUser.h

    r13462 r14409  
    2525typedef struct _VBOXUSERINFO
    2626{
    27     TCHAR szUser[_MAX_PATH];
     27    TCHAR szUser [_MAX_PATH];
     28    TCHAR szAuthenticationPackage [_MAX_PATH];
     29    TCHAR szLogonDomain [_MAX_PATH];
    2830} VBOXUSERINFO;
    2931
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette