Calls to LsapCallAuthenticationPackage are routed to LsaApCallPackageUntrusted instead of LsaApCallPackage for untrusted clients.
}
}
- Status = Package->LsaApCallPackage((PLSA_CLIENT_REQUEST)LogonContext,
- LocalBuffer,
- RequestMsg->CallAuthenticationPackage.Request.ProtocolSubmitBuffer,
- RequestMsg->CallAuthenticationPackage.Request.SubmitBufferLength,
- &RequestMsg->CallAuthenticationPackage.Reply.ProtocolReturnBuffer,
- &RequestMsg->CallAuthenticationPackage.Reply.ReturnBufferLength,
- &RequestMsg->CallAuthenticationPackage.Reply.ProtocolStatus);
+ if (LogonContext->Untrusted)
+ Status = Package->LsaApCallPackageUntrusted((PLSA_CLIENT_REQUEST)LogonContext,
+ LocalBuffer,
+ RequestMsg->CallAuthenticationPackage.Request.ProtocolSubmitBuffer,
+ RequestMsg->CallAuthenticationPackage.Request.SubmitBufferLength,
+ &RequestMsg->CallAuthenticationPackage.Reply.ProtocolReturnBuffer,
+ &RequestMsg->CallAuthenticationPackage.Reply.ReturnBufferLength,
+ &RequestMsg->CallAuthenticationPackage.Reply.ProtocolStatus);
+ else
+ Status = Package->LsaApCallPackage((PLSA_CLIENT_REQUEST)LogonContext,
+ LocalBuffer,
+ RequestMsg->CallAuthenticationPackage.Request.ProtocolSubmitBuffer,
+ RequestMsg->CallAuthenticationPackage.Request.SubmitBufferLength,
+ &RequestMsg->CallAuthenticationPackage.Reply.ProtocolReturnBuffer,
+ &RequestMsg->CallAuthenticationPackage.Reply.ReturnBufferLength,
+ &RequestMsg->CallAuthenticationPackage.Reply.ProtocolStatus);
if (!NT_SUCCESS(Status))
{
TRACE("Package->LsaApCallPackage() failed (Status 0x%08lx)\n", Status);
}
+static
+BOOL
+LsapIsTrustedClient(
+ _In_ HANDLE ProcessHandle)
+{
+ LUID TcbPrivilege = {SE_TCB_PRIVILEGE, 0};
+ HANDLE TokenHandle = NULL;
+ PTOKEN_PRIVILEGES Privileges = NULL;
+ ULONG Size, i;
+ BOOL Trusted = FALSE;
+ NTSTATUS Status;
+
+ Status = NtOpenProcessToken(ProcessHandle,
+ TOKEN_QUERY,
+ &TokenHandle);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = NtQueryInformationToken(TokenHandle,
+ TokenPrivileges,
+ NULL,
+ 0,
+ &Size);
+ if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ Privileges = RtlAllocateHeap(RtlGetProcessHeap(), 0, Size);
+ if (Privileges == NULL)
+ goto done;
+
+ Status = NtQueryInformationToken(TokenHandle,
+ TokenPrivileges,
+ Privileges,
+ Size,
+ &Size);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ for (i = 0; i < Privileges->PrivilegeCount; i++)
+ {
+ if (RtlEqualLuid(&Privileges->Privileges[i].Luid, &TcbPrivilege))
+ {
+ Trusted = TRUE;
+ break;
+ }
+ }
+
+done:
+ if (Privileges != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Privileges);
+
+ if (TokenHandle != NULL)
+ NtClose(TokenHandle);
+
+ return Trusted;
+}
+
+
static NTSTATUS
LsapCheckLogonProcess(PLSA_API_MSG RequestMsg,
PLSAP_LOGON_CONTEXT *LogonContext)
NULL);
Status = NtOpenProcess(&ProcessHandle,
- PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE,
+ PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
&ObjectAttributes,
&RequestMsg->h.ClientId);
if (!NT_SUCCESS(Status))
TRACE("New LogonContext: %p\n", Context);
Context->ClientProcessHandle = ProcessHandle;
+ Context->Untrusted = RequestMsg->ConnectInfo.Untrusted;
+
+ if (Context->Untrusted == FALSE)
+ Context->Untrusted = LsapIsTrustedClient(ProcessHandle);
*LogonContext = Context;
#include <ndk/obfuncs.h>
#include <ndk/psfuncs.h>
#include <ndk/rtlfuncs.h>
+#include <ndk/sefuncs.h>
#include <ndk/ketypes.h>
#include <ndk/setypes.h>
LIST_ENTRY Entry;
HANDLE ClientProcessHandle;
HANDLE ConnectionHandle;
+ BOOL Untrusted;
} LSAP_LOGON_CONTEXT, *PLSAP_LOGON_CONTEXT;
typedef struct _SAMPR_ULONG_ARRAY
ConnectInfoLength);
ConnectInfo.CreateContext = TRUE;
+ ConnectInfo.Untrusted = TRUE;
Status = NtConnectPort(LsaHandle,
&PortName,
ULONG Length;
CHAR LogonProcessNameBuffer[LSASS_MAX_LOGON_PROCESS_NAME_LENGTH + 1];
BOOL CreateContext;
+ BOOL Untrusted;
} LSA_CONNECTION_INFO, *PLSA_CONNECTION_INFO;