diff options
| author | Kevin Wasserman <kevin.wasserman@painless-security.com> | 2012-05-14 12:14:20 -0400 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2012-08-24 12:23:05 -0400 |
| commit | 8020c64554dd25a4f09df8a28dca924c6ecb5608 (patch) | |
| tree | 47a6e031fb6621fdcd60890981068ade4a20966f /src | |
| parent | 9bc411e72fce5bed3ed00ae5b09f8c239309bae0 (diff) | |
| download | krb5-8020c64554dd25a4f09df8a28dca924c6ecb5608.tar.gz krb5-8020c64554dd25a4f09df8a28dca924c6ecb5608.tar.xz krb5-8020c64554dd25a4f09df8a28dca924c6ecb5608.zip | |
Do not be over-restrictive in the presence of UAC
We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: delete instead of comment out, move comment.]
ticket: 7254 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/krb5/ccache/cc_mslsa.c | 43 |
1 files changed, 4 insertions, 39 deletions
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index 698b62a244..f25658ebf1 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -172,37 +172,6 @@ is_windows_vista (void) return fIsVista; } -static BOOL -is_process_uac_limited (void) -{ - static BOOL fChecked = FALSE; - static BOOL fIsUAC = FALSE; - - if (!fChecked) - { - NTSTATUS Status = 0; - HANDLE TokenHandle; - DWORD ElevationLevel; - DWORD ReqLen; - BOOL Success; - - if (is_windows_vista()) { - Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); - if ( Success ) { - Success = GetTokenInformation( TokenHandle, - TokenOrigin+1 /* ElevationLevel */, - &ElevationLevel, sizeof(DWORD), &ReqLen ); - CloseHandle( TokenHandle ); - if ( Success && ElevationLevel == 3 /* Limited */ ) - fIsUAC = TRUE; - } - } - fChecked = TRUE; - } - return fIsUAC; - -} - typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); static BOOL @@ -445,9 +414,6 @@ IsMSSessionKeyNull(KERB_CRYPTO_KEY *mskey) { DWORD i; - if (is_process_uac_limited()) - return TRUE; - if (mskey->KeyType == KERB_ETYPE_NULL) return TRUE; @@ -1252,6 +1218,10 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ, // tickets. This is safe to do because the LSA purges its cache when it // retrieves a new TGT (ms calls this renew) but not when it renews the TGT // (ms calls this refresh). +// UAC-limited processes are not allowed to obtain a copy of the MSTGT +// session key. We used to check for UAC-limited processes and refuse all +// access to the TGT, but this makes the MSLSA ccache completely unusable. +// Instead we ought to just flag that the tgt session key is not valid. static BOOL GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNAL_TICKET **ticket, BOOL enforce_tgs_enctypes) @@ -1279,11 +1249,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA int ignore_cache = 0; krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0; - if (is_process_uac_limited()) { - Status = STATUS_ACCESS_DENIED; - goto cleanup; - } - memset(&CacheRequest, 0, sizeof(KERB_QUERY_TKT_CACHE_REQUEST)); CacheRequest.MessageType = KerbRetrieveTicketMessage; CacheRequest.LogonId.LowPart = 0; |