5-12 C2

2025-07-25 23:14:54 +02:00 · 2016-05-12 19:17:41 -07:00 · 2016-05-12 19:17:41 -07:00 · a9f460a5c8
commit a9f460a5c8
parent fedeacacf5
2 changed files with 45 additions and 380 deletions
--- a/contrib/win32/win32compat/lsa/LsaString.cpp
+++ b/contrib/win32/win32compat/lsa/LsaString.cpp
@ -37,7 +37,6 @@
 #include <Ntsecapi.h>
 #endif
 #include "LsaString.h"
 #ifdef __VS_BUILD__
@ -89,8 +88,7 @@ fail:
      LsaApi.FreeLsaHeap((*lsaStr));
    }
-    
+
    DBG_MSG("ERROR. Cannot allocate LSA UNICODE_STRING...\n");
  }
  return ntStat;
@ -166,10 +164,6 @@ NTSTATUS FillUnicodeString(UNICODE_STRING *lsaStr, const Char *str)
 fail:
  if (ntStat)
  {
    DBG_MSG("ERROR. Cannot fill UNICODE_STRING...\n");    
  }
  return ntStat;  
 }
--- a/contrib/win32/win32compat/lsa/Ssh-lsa.cpp
+++ b/contrib/win32/win32compat/lsa/Ssh-lsa.cpp
@ -35,12 +35,8 @@
 #define UMDF_USING_NTSTATUS 
 #include <Windows.h>
 #include <LsaLookup.h>
 #include <Ntsecapi.h>
 #endif
 #include "Ssh-lsa.h"
 #ifdef __cplusplus
@ -98,8 +94,7 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId,
                                      PLSA_STRING confident,
                                      PLSA_STRING *pkgName)
 {
-  DBG_ENTRY("LsaApInitializePackage");
+  
  //
  // Save table with adresses of LSA API functions.
  //
@ -110,8 +105,7 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId,
  // Allocate buffer for package name.
  //
-  DBG_MSG("Allocating buffer for pkgName...\n");
+    
  *pkgName = (PLSA_STRING) LsaApi.AllocateLsaHeap(sizeof(LSA_STRING));
  (*pkgName) -> Buffer = (PCHAR) LsaApi.AllocateLsaHeap(PKG_NAME_SIZE);
@ -120,29 +114,14 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId,
  // Fill buffer with our name.
  //
-  DBG_MSG("Setting up pkgName...\n");
+    
  memcpy((*pkgName) -> Buffer, PKG_NAME, PKG_NAME_SIZE);
  (*pkgName) -> Length = PKG_NAME_SIZE - 1;
  (*pkgName) -> MaximumLength = PKG_NAME_SIZE;
  //
  // Initialize OpenSSL lib.
  //
  DBG_MSG("Initializing OpenSSL...\n");
  OPENSSL(SSL_library_init());
  DBG_MSG("Initializing OpenSSL digest table...\n");
  OPENSSL(OpenSSL_add_all_digests());
  DBG_LEAVE("LsaApInitializePackage");
  return STATUS_SUCCESS;
 }
@ -175,8 +154,7 @@ fail:
  if (exitCode)
  {
-    DBG_MSG("ERROR. Cannot to copy SID.\n");
+      }
  }
  return exitCode;
 }
@ -193,8 +171,7 @@ fail:
 Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
 {
-  DBG_ENTRY("LsaAllocTokenInfo");
+    
  Int exitCode = 1;
  DWORD cbSize = 0;
@ -215,8 +192,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // Allocate LSA_TOKEN_INFORMATION_V1 struct for output,
  //
-  DBG_MSG("Allocating LSA_TOKEN_INFORMATION_V1 buffer...\n");
+    
  tokenInfo = (PLSA_TOKEN_INFORMATION_V1) 
                   LsaApi.AllocateLsaHeap(sizeof(LSA_TOKEN_INFORMATION_V1));
@ -228,8 +204,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // becouse SIDs must be allocated as separately memory blocks.
  //
-  DBG_MSG("Copying TOKEN_USER...\n");
+  
  GetTokenInformation(token, TokenUser, NULL, 0, &cbSize);
  pUserToken = (PTOKEN_USER) LocalAlloc(LPTR, cbSize);
@ -245,8 +220,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // Copy TOKEN_GROUPS part from input token.
  //
-  DBG_MSG("Copying TOKEN_GROUP...\n");
+  
  GetTokenInformation(token, TokenGroups, NULL, 0, &cbSize);
  pGroupsToken = (PTOKEN_GROUPS) LocalAlloc(LPTR, cbSize);
@ -275,8 +249,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // in this struct, so we can retrieve it directly to output buffer.
  //
-  DBG_MSG("Retrieving TOKEN_PRIVILEGES directly...\n");
+    
  GetTokenInformation(token, TokenPrivileges, NULL, 0, &cbSize);
  tokenInfo -> Privileges = (PTOKEN_PRIVILEGES) LsaApi.AllocateLsaHeap(cbSize);
@ -288,8 +261,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // Copy TOKEN_OWNER part from input token.
  //
-  DBG_MSG("Copying TOKEN_OWNER...\n");
+  
  GetTokenInformation(token, TokenOwner, NULL, 0, &cbSize);
  pOwnerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, cbSize);
@ -303,8 +275,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // Copy TOKEN_PRIMARY_GROUP part from input token.
  //  
-  DBG_MSG("Copying TOKEN_PRIMARY_GROUP...\n");
+  
  GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &cbSize);
  pPrimaryGroupToken = (PTOKEN_PRIMARY_GROUP) LocalAlloc(LPTR, cbSize);
@ -319,8 +290,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
  // Copy TOKEN_DEFAULT_DACL part from input token.
  //
-  DBG_MSG("Retrieving TOKEN_DEFAULT_DACL...\n");
+  
  //GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &cbSize);
  //pDaclToken = (PTOKEN_DEFAULT_DACL) LocalAlloc(LPTR, cbSize);
@ -352,153 +322,12 @@ fail:
  if (exitCode)
  {
-    DBG_MSG("ERROR. Cannot allocate token information.\n");
+      }
  }
  DBG_LEAVE("LsaAllocTokenInfo");
  return exitCode;
 }  
 //
 // This function performs user authorization.
 //
 // homedir - user's home dir if authorized success (OUT)
 // token   - handle to user access token (IN)
 // auth    - SshLsaAuth struct with authorization data (IN)
 // 
 // RETURNS: 0 if OK.
 //
 Int AuthorizeUser(wchar_t homeDir[MAX_PATH], HANDLE token, SshLsaAuth *auth)
 {
  DBG_ENTRY("AuthorizeUser");
  Int exitCode = 1;
  Int authorized = 0;
  PROFILEINFOW profile = {sizeof(PROFILEINFOW)};
  Key *key = NULL;
  wchar_t keyFileName[MAX_PATH];
  wchar_t *nextFile = NULL;
  //Char homeDir[MAX_PATH];
  DWORD homeDirSize = MAX_PATH;
  //
  // Compute adressess of SshLsaAuth fields. 
  //
  BYTE *userPtr = (BYTE *) &(auth -> buf_);
  BYTE *signPtr = (BYTE *) userPtr + auth -> userSize_;
  BYTE *dataPtr = (BYTE *) signPtr + auth -> signSize_;
  BYTE *blobPtr = (BYTE *) dataPtr + auth -> dataSize_;
  BYTE *authPtr = (BYTE *) blobPtr + auth -> pkBlobSize_;
  //
  // Create Key struct from pkBlob.
  //
  DBG_MSG("Reproduce Key struct from blob...n");
  FAIL(KeyFromBlob(key, blobPtr, auth -> pkBlobSize_));
  FAIL(key == NULL);
  //
  // Retrieve user's home directory.
  //
  DBG_MSG("Retrieving user's homedir...");
  profile.lpUserName = (wchar_t *) userPtr;
  FAIL(LoadUserProfileW(token, &profile) == FALSE);
  FAIL(GetUserProfileDirectoryW(token, homeDir, &homeDirSize) == FALSE);
  //
  // Try authorize using authkey files given by ssh.
  //
  nextFile = (wchar_t *) authPtr;
  for (Unsigned Int i = 0; Not(authorized) && i < auth -> authFilesCount_; i++)
  {
    wchar_t *fileToCheck = nextFile;
    DBG_MSG("Trying keys from [%ls]...\n", nextFile);
    //
    // Expand relative paths to user homedir like openssh do.
    //
    if (wcschr(nextFile, ':') == NULL)
    {
      DBG_MSG("Expanding relative path to user homedir.\n");
 #ifndef __VS_BUILD__
      snwprintf(keyFileName, sizeof(keyFileName), 
                    L"%ls\\%ls", homeDir, nextFile);
 #else
 	  _snwprintf(keyFileName, sizeof(keyFileName),
 		  L"%ls\\%ls", homeDir, nextFile);
 #endif
      fileToCheck = keyFileName;
    }
    //
    // Try to find key in next 'authorized_key' file.
    //
    if(FindKeyInFile(fileToCheck, key) == 0)
    {
      //
      // Verify given key.
      //
      DBG_MSG("Veryfing key...\n");
      authorized = (VerifyKey(key, signPtr, auth -> signSize_, 
                                  dataPtr, auth -> dataSize_, 
                                      auth -> dataFellow_) == 0);
    }
    //
    // Go to next file in list.
    //
    nextFile = wcschr(nextFile, 0) + sizeof(wchar_t);
  }
  FAIL(Not(authorized));
  exitCode = 0;
 fail:
  if (exitCode)
  {
    DBG_MSG("ERROR. Auhtorization failed (%u).\n", GetLastError());
    //
    // If authorization error clear homedir.
    //
    ZeroMemory(homeDir, MAX_PATH);
  }
  UnloadUserProfile(token, profile.hProfile);
  DBG_LEAVE("AuthorizeUser");
  return exitCode;
 }
 //
 // Called, when client logon process want logon user.
@ -527,8 +356,7 @@ NTSTATUS NTAPI
                   PLSA_UNICODE_STRING *accountName,
                   PLSA_UNICODE_STRING *authority)
 {
-  DBG_ENTRY("LsaApLogonUser");
+    
  NTSTATUS ntStat = STATUS_LOGON_FAILURE;
  Int exitCode = 1;
@ -538,8 +366,6 @@ NTSTATUS NTAPI
  //
  wchar_t *inUserName = NULL;
  SshLsaAuth *auth = (SshLsaAuth *) authData;
  //
  // Buffers used for retrieving user auth data from SAM database.
@ -579,38 +405,20 @@ NTSTATUS NTAPI
  // Check are input args ok?
  //
-  DBG_MSG("Checking input args...\n");
+    
  inUserName = (wchar_t *) (((char*)authData)+4);
-  FAIL(auth == NULL);
+    
-  
+    
  FAIL(auth -> buf_ == NULL);
  inUserName = (wchar_t *) auth -> buf_;
  DBG_MSG("Checking SshLsaAuth size...\n");
  FAIL(auth -> totalSize_ != authDataSize);
  DBG_MSG("logonType = %u\n", logonType);
  DBG_MSG("userName = [%ls]\n", inUserName);
  //
  // Get info about client process.
  //
-  DBG_MSG("Retreving info about client process...\n");
+    
  NTFAIL(LsaApi.GetClientInfo(&clientInfo));
-  DBG_MSG("Client info:\n");
+                
  DBG_MSG("  LogonId         : %d\n", clientInfo.LogonId);
  DBG_MSG("  ProcessID       : %d\n", clientInfo.ProcessID);
  DBG_MSG("  ThreadID        : %d\n", clientInfo.ThreadID);
  DBG_MSG("  HasTcbPrivilege : %d\n", clientInfo.HasTcbPrivilege);
  DBG_MSG("  Impersonating   : %d\n", clientInfo.Impersonating);
  DBG_MSG("  Restricted      : %d\n", clientInfo.Restricted);
  //
  // Fail if client has not got SeTcbPrivilege.
  //
@ -621,8 +429,7 @@ NTSTATUS NTAPI
  // Allocate buffers.
  //
-  DBG_MSG("Allocating string buffers...\n");
+    
  NTFAIL(LsaAllocUnicodeString(authority, MAX_ACCOUNT_NAME_SIZE));
  NTFAIL(LsaAllocUnicodeString(accountName, MAX_ACCOUNT_NAME_SIZE));
  NTFAIL(LsaAllocUnicodeString(&flatName, MAX_ACCOUNT_NAME_SIZE));
@ -631,8 +438,7 @@ NTSTATUS NTAPI
  // Retrieve user data from SAM base.
  //
-  DBG_MSG("GetAuthDataForUser()...\n");
+  
  lstrcpyW(samUserBuf, inUserName);
  samUserBuf[MAX_ACCOUNT_NAME_SIZE] = 0x00;
@ -642,14 +448,12 @@ NTSTATUS NTAPI
  NTFAIL(LsaApi.GetAuthDataForUser(&samUser, SecNameFlat, NULL,
                                      &userAuth, &userAuthSize, flatName));
-  DBG_MSG("userAuthSize = %u\n", userAuthSize);
+    
  //
  // Create token basing on SAM data.
  //
-  DBG_MSG("ConvertAuthDataToToken()...\n");
+  
  memcpy (tokenSource.SourceName, "_sshlsa_", 8);
  AllocateLocallyUniqueId(&tokenSource.SourceIdentifier);
@ -664,28 +468,17 @@ NTSTATUS NTAPI
  // Print token info.
  //
  DBG_PRINT_TOKEN(token);
  //
  // Perform authorization and retrieve homeDir if success.
  //
  DBG_MSG("Performing authorization...\n");
  FAIL(AuthorizeUser(homeDir, token, auth));
  //
  // Allocate client buffer and copy home dir to it.
  //
-  DBG_MSG("Filling profile buffer...\n");
+    
  NTFAIL(LsaApi.AllocateClientBuffer(request, MAX_PATH * sizeof(wchar_t), profile));
  *profileSize = MAX_PATH;
-  DBG_MSG("homeDir = %ls\n", homeDir);
+    
  NTFAIL(LsaApi.CopyToClientBuffer(request, MAX_PATH * sizeof(wchar_t), 
                                       *profile, homeDir));
@ -695,8 +488,7 @@ NTSTATUS NTAPI
  // here.
  //
-  DBG_MSG("Creating token infos for LSA output...\n");
+    
  PLSA_TOKEN_INFORMATION_V1 outTokenInfo;
  FAIL(LsaAllocTokenInfo(outTokenInfo, token));
@ -709,24 +501,9 @@ NTSTATUS NTAPI
  // Duplicate token from lsa space to client space.
  //
-  DBG_MSG("Duplicating token into client space...\n");
+    
  NTFAIL(LsaApi.DuplicateHandle(token, &clientToken));
  //
  // Create new logon session.
  //
  /*  
  DBG_MSG("Creating new logon session...\n");
  FAIL(AllocateLocallyUniqueId(logonId) == FALSE);
  *subStat = LsaApi.CreateLogonSession(logonId);
  FAIL(*subStat);
  */
  ntStat = STATUS_SUCCESS;
  exitCode = 0;
@ -735,9 +512,6 @@ fail:
  if (exitCode)
  {
    DBG_MSG("ERROR. Cannot logon user "
                "(err = %u, ntStat = %x, subNtStat = %x).\n",
                    GetLastError(), ntStat, *subStat);
    ntStat = STATUS_LOGON_FAILURE;
@ -749,8 +523,7 @@ fail:
  }
  else
  {
-    DBG_MSG("LsaApLogonUser : OK.\n");
+      }
  }
  //
  // Cleanup temporary buffers.
@ -758,12 +531,10 @@ fail:
  CloseHandle(token);
-  DBG_MSG("Freeing temp buffers...\n");
+    
  LsaFreeUnicodeString(flatName);
-  DBG_LEAVE("LsaApLogonUser");
+  
  return ntStat;
 }
@ -775,8 +546,7 @@ fail:
 VOID NTAPI LsaApLogonTerminated(PLUID logonId)
 {
-  DBG_MSG("LsaApLogonTerminated(id = %d)...\n", *logonId);
+  }
 }
 //
@ -800,18 +570,13 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes)
      // Initialize log.
      // 
-      DBG_INIT(NULL);
+            
-
+            
      DBG_MSG("DllMain -> DLL_PROCESS_ATTACH\n");
      DBG_MSG("[SSH-LSA-%s]\n", VERSION);
      //
      // Load 'ntdll.dll' module.
      //
-      DBG_MSG("Loading 'ntdll.dll' module...\n");
+        
      NtDll = GetModuleHandle("ntdll.dll");
      FAIL(NtDll == NULL);
@ -820,80 +585,12 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes)
      // Load RtlInitUnicodeString() function from 'ntdll.dll'.
      //
-      DBG_MSG("Retrieving 'RtlInitUnicodeString' address...\n");
+            
      RtlInitUnicodeString = (RtlInitUnicodeStringPtr) 
                                  GetProcAddress(NtDll, "RtlInitUnicodeString");
      FAIL(RtlInitUnicodeString == NULL);
      //
      // This code is code for dynamic, 'on the fly' OpenSSL libs loading.
      //
      #ifdef DYNAMIC_OPENSSL
        //
        // Load 'libssl.dll' module.
        //
        DBG_MSG("Loading 'libssl.dll' module...\n");
        LibSSL = LoadLibrary("libssl.dll");
        FAIL(LibSSL == NULL);
        //
        // Load 'libcrypto.dll' module.
        //
        DBG_MSG("Loading 'libcrypto.dll' module...\n");
        LibCrypto = LoadLibrary("libcrypto.dll");
        FAIL(LibCrypto == NULL);
        //
        // Load 'libSSL.dll' functions.
        //
        DynSSL.SSL_library_init = (SSL_library_init_Ptr) GetProcAddress(LibSSL, "SSL_library_init");
        //
        // Load 'libcrypto.dll' functions.
        //
        DynSSL.EVP_sha1         = (EVP_sha1_Ptr) GetProcAddress(LibCrypto, "EVP_sha1");
        DynSSL.EVP_DigestInit   = (EVP_DigestInit_Ptr) GetProcAddress(LibCrypto, "EVP_DigestInit");
        DynSSL.EVP_DigestFinal  = (EVP_DigestFinal_Ptr) GetProcAddress(LibCrypto, "EVP_DigestFinal");
        DynSSL.EVP_DigestUpdate = (EVP_DigestUpdate_Ptr) GetProcAddress(LibCrypto, "EVP_DigestUpdate");
        DynSSL.EVP_Digest       = (EVP_Digest_Ptr) GetProcAddress(LibCrypto, "EVP_Digest");
        DynSSL.EVP_get_digestbyname = (EVP_get_digestbyname_Ptr) GetProcAddress(LibCrypto, "EVP_get_digestbyname");
        DynSSL.DSA_SIG_free  = (DSA_SIG_free_Ptr) GetProcAddress(LibCrypto, "DSA_SIG_free");
        DynSSL.DSA_SIG_new   = (DSA_SIG_new_Ptr) GetProcAddress(LibCrypto, "DSA_SIG_new");
        DynSSL.DSA_do_verify = (DSA_do_verify_Ptr) GetProcAddress(LibCrypto, "DSA_do_verify");
        DynSSL.DSA_new       = (DSA_new_Ptr) GetProcAddress(LibCrypto, "DSA_new");
        DynSSL.DSA_free      = (DSA_free_Ptr) GetProcAddress(LibCrypto, "DSA_free");
        DynSSL.RSA_size      = (RSA_size_Ptr) GetProcAddress(LibCrypto, "RSA_size");
        DynSSL.RSA_new       = (RSA_new_Ptr) GetProcAddress(LibCrypto, "RSA_new");
        DynSSL.RSA_free      = (RSA_free_Ptr) GetProcAddress(LibCrypto, "RSA_free");
        DynSSL.BN_new        = (BN_new_Ptr) GetProcAddress(LibCrypto, "BN_new");
        DynSSL.BN_bin2bn     = (BN_bin2bn_Ptr) GetProcAddress(LibCrypto, "BN_bin2bn");
        DynSSL.BN_num_bits   = (BN_num_bits_Ptr) GetProcAddress(LibCrypto, "BN_num_bits");
        DynSSL.BN_cmp        = (BN_cmp_Ptr) GetProcAddress(LibCrypto, "BN_cmp");
        DynSSL.RSA_public_decrypt = (RSA_public_decrypt_Ptr) GetProcAddress(LibCrypto, "RSA_public_decrypt");
        DynSSL.OBJ_nid2sn = (OBJ_nid2sn_Ptr) GetProcAddress(LibCrypto, "OBJ_nid2sn");
        DynSSL.OpenSSL_add_all_digests = (OpenSSL_add_all_digests_Ptr) GetProcAddress(LibCrypto, "OpenSSL_add_all_digests");
      #endif
      break;
    }
@ -903,18 +600,8 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes)
    case DLL_PROCESS_DETACH:
    {
-      DBG_MSG("DllMain -> DLL_PROCESS_DETACH\n");
+            
      FreeModule(NtDll);
      #ifdef DYNAMIC_OPENSSL
        FreeModule(LibCrypto);
        FreeModule(LibSSL);
      #endif
    }
  }
@ -924,18 +611,8 @@ fail:
  if (exitCode == FALSE)
  {
-    DBG_MSG("ERROR. Cannot initialize DLL (%u).\n", GetLastError());
+    
    FreeModule(NtDll);
    #ifdef DYNAMIC_OPENSSL
      FreeModule(LibCrypto);
      FreeModule(LibSSL);
    #endif
  }
  return exitCode;
@ -953,9 +630,7 @@ NTSTATUS NTAPI LsaApCallPackagePassthrough(PLSA_CLIENT_REQUEST request,
                                           PULONG outBufSize,
                                           PNTSTATUS status)
 {
-  DBG_ENTRY("LsaApCallPackagePassthrough(");
+     
  DBG_LEAVE("LsaApCallPackagePassthrough(");
  return STATUS_NOT_IMPLEMENTED;
 }
@ -971,9 +646,7 @@ NTSTATUS NTAPI LsaApCallPackageUntrusted(PLSA_CLIENT_REQUEST request,
                                         PULONG outBufSize,
                                         PNTSTATUS status)
 {
-  DBG_ENTRY("LsaApCallPackageUntrusted");
+    
  DBG_LEAVE("LsaApCallPackageUntrusted");
  return STATUS_NOT_IMPLEMENTED;
 }
@ -986,9 +659,7 @@ NTSTATUS NTAPI LsaApCallPackage(PLSA_CLIENT_REQUEST request, PVOID submitBuf,
                                PVOID *outBuf, PULONG outBufSize,
                                PNTSTATUS status)
 {
-  DBG_ENTRY("LsaApCallPackage");
+     
  DBG_LEAVE("LsaApCallPackage");
  return STATUS_NOT_IMPLEMENTED;
 }