krb5 commit: Do not be over-restrictive in the presence of UAC
Benjamin Kaduk
kaduk at MIT.EDU
Fri Aug 24 12:24:15 EDT 2012
https://github.com/krb5/krb5/commit/8020c64554dd25a4f09df8a28dca924c6ecb5608
commit 8020c64554dd25a4f09df8a28dca924c6ecb5608
Author: Kevin Wasserman <kevin.wasserman at painless-security.com>
Date: Mon May 14 12:14:20 2012 -0400
Do not be over-restrictive in the presence of UAC
We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.
Signed-off-by: Kevin Wasserman <kevin.wasserman at painless-security.com>
[kaduk at mit.edu: delete instead of comment out, move comment.]
ticket: 7254 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
src/lib/krb5/ccache/cc_mslsa.c | 43 +++------------------------------------
1 files changed, 4 insertions(+), 39 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 698b62a..f25658e 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -172,37 +172,6 @@ is_windows_vista (void)
return fIsVista;
}
-static BOOL
-is_process_uac_limited (void)
-{
- static BOOL fChecked = FALSE;
- static BOOL fIsUAC = FALSE;
-
- if (!fChecked)
- {
- NTSTATUS Status = 0;
- HANDLE TokenHandle;
- DWORD ElevationLevel;
- DWORD ReqLen;
- BOOL Success;
-
- if (is_windows_vista()) {
- Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle );
- if ( Success ) {
- Success = GetTokenInformation( TokenHandle,
- TokenOrigin+1 /* ElevationLevel */,
- &ElevationLevel, sizeof(DWORD), &ReqLen );
- CloseHandle( TokenHandle );
- if ( Success && ElevationLevel == 3 /* Limited */ )
- fIsUAC = TRUE;
- }
- }
- fChecked = TRUE;
- }
- return fIsUAC;
-
-}
-
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
static BOOL
@@ -445,9 +414,6 @@ IsMSSessionKeyNull(KERB_CRYPTO_KEY *mskey)
{
DWORD i;
- if (is_process_uac_limited())
- return TRUE;
-
if (mskey->KeyType == KERB_ETYPE_NULL)
return TRUE;
@@ -1252,6 +1218,10 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ,
// tickets. This is safe to do because the LSA purges its cache when it
// retrieves a new TGT (ms calls this renew) but not when it renews the TGT
// (ms calls this refresh).
+// UAC-limited processes are not allowed to obtain a copy of the MSTGT
+// session key. We used to check for UAC-limited processes and refuse all
+// access to the TGT, but this makes the MSLSA ccache completely unusable.
+// Instead we ought to just flag that the tgt session key is not valid.
static BOOL
GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNAL_TICKET **ticket, BOOL enforce_tgs_enctypes)
@@ -1279,11 +1249,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
int ignore_cache = 0;
krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0;
- if (is_process_uac_limited()) {
- Status = STATUS_ACCESS_DENIED;
- goto cleanup;
- }
-
memset(&CacheRequest, 0, sizeof(KERB_QUERY_TKT_CACHE_REQUEST));
CacheRequest.MessageType = KerbRetrieveTicketMessage;
CacheRequest.LogonId.LowPart = 0;
More information about the cvs-krb5
mailing list