Changeset 52907 in vbox for trunk/src/VBox/HostDrivers/Support/win

Timestamp:

Sep 30, 2014 7:15:29 PM (10 years ago)

Author:

vboxsync

Message:

SUP: Allow loading of administrator group owned DLLs in addition to localsystem and trustedinstaller.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (5 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -145 +145 @@
                             g_TrustedInstallerSid,
 /** Local system ID (S-1-5-21). */
-                            g_LocalSystemSid;
+                            g_LocalSystemSid,
+/** Builtin Administrators group alias (S-1-5-32-544). */
+                            g_AdminsGroupSid;
 
 
@@ -452 +454 @@
      * the plugin loaded once it's installed (WinVerityTrust fails).
      *
-     * Note! We cannot really allow Builtin\Administrators here it's the default
-     *       owner of anything an admin user creates. (We must, unforutnately,
-     *       allow that in system32 though.)
+     * We'd like to avoid allowing Builtin\Administrators here since it's the
+     * default owner of anything an admin user creates (at least when elevated).
+     * Seems windows update or someone ends up installing or modifying system
+     * DLL ownership to this group, so for system32 and winsxs it's unavoidable.
+     * And, not surprise, a bunch of products, including AV, firewalls and similar
+     * ends up with their files installed with this group as owner.  For instance
+     * if we wish to have NAT continue working, we need to allow this.
+     *
+     * Hopefully, we can limit the allowed files to these owners though, so
+     * we won't be subject to ordinary (non-admin, or not elevated) users
+     * downloading or be tricked into putting evil DLLs around the place...
      */
     PSID pOwner = uBuf.Rel.Control & SE_SELF_RELATIVE ? &uBuf.abView[uBuf.Rel.Owner] : uBuf.Abs.Owner;
@@ -462 +472 @@
     if (RtlEqualSid(pOwner, &g_LocalSystemSid))
         return true;
+    if (RtlEqualSid(pOwner, &g_AdminsGroupSid))
+    {
+        SUP_DPRINTF(("%ls: Owner is administrators group.\n", pwszName));
+        return true;
+    }
 
     SUP_DPRINTF(("%ls: Owner is not trusted installer (%.*Rhxs)\n",
@@ -1082 +1097 @@
      * SECURITY_BUILTIN_DOMAIN_RID + DOMAIN_ALIAS_RID_ADMINS (with 4.3.16).
      */
+    /** @todo Since we're now allowing Builtin\Administrators after all, perhaps we
+     *        could drop these system32 + winsxs hacks?? */
     if (   (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
         && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(pNtViRdr->hFile, pwszName))
@@ -1691 +1708 @@
                 *RtlSubAuthoritySid(&g_TrustedInstallerSid, 5) = 2271478464;
 
-                if (NT_SUCCESS(rcNt))
-                    rcNt = RtlInitializeSid(&g_LocalSystemSid, &s_NtAuth, 1);
+                rcNt = RtlInitializeSid(&g_LocalSystemSid, &s_NtAuth, 1);
                 if (NT_SUCCESS(rcNt))
                 {
                     *RtlSubAuthoritySid(&g_LocalSystemSid, 0) = SECURITY_LOCAL_SYSTEM_RID;
-                    return VINF_SUCCESS;
+
+                    rcNt = RtlInitializeSid(&g_AdminsGroupSid, &s_NtAuth, 2);
+                    if (NT_SUCCESS(rcNt))
+                    {
+                        *RtlSubAuthoritySid(&g_AdminsGroupSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
+                        *RtlSubAuthoritySid(&g_AdminsGroupSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
+                        return VINF_SUCCESS;
+                    }
                 }
             }