build 0.7.2 / 5.49.0

CHANGELOG.md

@@ -13,6 +13,31 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 
 
+
+## [0.7.2 / 5.49.0] - 2021-03-04
+
+### Added
+- added option to alter reported windows version "OverrideOsBuild=7601" for window s7 sp1
+- the trace log can now be structures like a tree with process es as root items and threads as brnaches
+
+### Changed
+- SandboxieCrypto how always migrates the CatRoot2 files in order to prevent locking of real files
+- greately improved trace log performance
+- MSI Server can now run with the "FakeAdminRights=y" and "DropAdminRights=y" options
+-- Special service allowance for the MSI Server can be disabled with "MsiInstallerExemptions=n"
+- Changed SCM access check behavioure non elevated users can now start services with a user token
+-- Elevation now is only required to start services with a system token
+- Reworked the trace log mechanism to be more verbose
+- Reworked RPC mechanism to be more flexible
+
+### Fixed
+- fixed issues with some intallers introduced in 5.48.0
+- fixed add user to sandbox in the plus ui
+- FIXED SECURITY ISSUE: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
+- classic ui no longer allows to create a sandbox with an invalid or reserved device name
+
+
+
 ## [0.7.1 / 5.48.5] - 2021-02-21
 
 ### Added

Sandboxie/apps/com/Crypto/crypto.c

@@ -158,6 +158,23 @@ ALIGNED HANDLE my_CreateFileW(
             dwDesiredAccess = 0;
     }
 
+    //
+    // issue #561 Sandbox with some apps directly uses catdb than blocks access to it
+    // to prevent our instance form locking the real file we request write access
+    // that forces the file to be migrated and our sandboxed copy opened
+    //
+
+    WCHAR* CatRoot = wcsstr(lpFileName, L"\\system32\\CatRoot2\\");
+    if (CatRoot) { // L"C:\\WINDOWS\\system32\\CatRoot2\\{00000000-0000-0000-0000-000000000000}\\catdb"
+        WCHAR win_dir[MAX_PATH + 64];
+        GetWindowsDirectory(win_dir, MAX_PATH);
+        if (_wcsnicmp(win_dir, lpFileName, CatRoot - lpFileName) == 0) {
+            if (dwDesiredAccess == GENERIC_READ)
+                dwDesiredAccess |= GENERIC_WRITE;
+        }
+    }
+
+
     return ((P_CreateFileW)__sys_CreateFileW)(lpFileName, dwDesiredAccess, dwShareMode,
         lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
 }

Sandboxie/apps/com/common.h

@@ -493,7 +493,41 @@ BOOL my_QueryServiceStatusEx(
             // expect the service to NOT be stopped or stop-pending.
             // without this, MSI server gets CO_E_WRONG_SERVER_IDENTITY.
 
-            buf->dwProcessId = FindProcessId(_msiexec, TRUE);
+            //buf->dwProcessId = FindProcessId(_msiexec, TRUE);
+
+            WCHAR keyname[128];
+            wcscpy(keyname, L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\");
+            wcscat(keyname, L"MSIServer");
+
+            UNICODE_STRING objname;
+            RtlInitUnicodeString(&objname, keyname);
+
+            HANDLE hkey;
+            OBJECT_ATTRIBUTES objattrs;
+            InitializeObjectAttributes(&objattrs, &objname, OBJ_CASE_INSENSITIVE, NULL, NULL);
+            if (NT_SUCCESS(NtOpenKey(&hkey, KEY_QUERY_VALUE, &objattrs))) {
+
+                NTSTATUS status;
+                ULONG len;
+                UNICODE_STRING uni;
+                union {
+                    KEY_VALUE_PARTIAL_INFORMATION info;
+                    WCHAR info_space[256];
+                } u;
+
+                RtlInitUnicodeString(&uni, SBIE L"_ProcessId");
+                status = NtQueryValueKey(hkey, &uni, KeyValuePartialInformation, &u.info, sizeof(u), &len);
+
+                if (NT_SUCCESS(status) && u.info.Type == REG_DWORD && u.info.DataLength == 4) {
+
+                    ULONG pid;
+                    pid = *(ULONG*)u.info.Data;
+
+                    buf->dwProcessId = pid;
+                }
+
+                NtClose(hkey);
+            }
 
         }
         else if (hService == SC_HANDLE_EVENTSYSTEM) {

Sandboxie/apps/control/CreateDialog.cpp

@@ -175,6 +175,26 @@ void CCreateDialog::OnOK()
             errmsg = MSG_3668;
     }
 
+    if (!errmsg && len <= 8) {
+        static const WCHAR* deviceNames[] = {
+            L"aux", L"clock$", L"con", L"nul", L"prn",
+            L"com1", L"com2", L"com3", L"com4", L"com5",
+            L"com6", L"com7", L"com8", L"com9",
+            L"lpt1", L"lpt2", L"lpt3", L"lpt4", L"lpt5",
+            L"lpt6", L"lpt7", L"lpt8", L"lpt9",
+            NULL
+        };
+
+        for (ULONG devNum = 0; deviceNames[devNum]; ++devNum) {
+            const WCHAR* devName = deviceNames[devNum];
+            ULONG devNameLen = wcslen(devName);
+            if (_wcsnicmp(name, devName, devNameLen) == 0) {
+                errmsg = MSG_3667;
+                break;
+            }
+        }
+    }
+
     if (errmsg) {
 
         GetDlgItem(ID_CREATE_ERROR)->SetWindowText(CMyMsg(errmsg));

Sandboxie/apps/control/MonitorDialog.cpp

@@ -115,9 +115,9 @@ void CMonitorDialog::OnIdle()
     while (1) {
 
 		ULONG seq_num = m_last_entry_seq_num;
-        USHORT type;
-		ULONG64 pid;
-        ULONG64 tid;
+        ULONG type;
+        ULONG pid;
+        ULONG tid;
         ULONG status = SbieApi_MonitorGetEx(&seq_num, &type, &pid, &tid, &name[12]);
 		if (status != 0)
 			break; // error or no more entries
@@ -146,7 +146,7 @@ void CMonitorDialog::OnIdle()
         } else if (type & MONITOR_DENY) {
             name[9] = L'X';
         }
-		type &= 0x0FFF;
+		type &= MONITOR_TYPE_MASK;
 
         const WCHAR *PrefixPtr = _Unknown;
         if (type == MONITOR_SYSCALL)
@@ -171,7 +171,7 @@ void CMonitorDialog::OnIdle()
             PrefixPtr = _Other;
         wcsncpy(name, PrefixPtr, 9);
 
-		wsprintf(&name[wcslen(name)], L"; PID: %I64u", pid);
+		wsprintf(&name[wcslen(name)], L"; PID: %d", pid);
 
         int index = listbox->AddString(name);
 

Sandboxie/common/defines.h

@@ -52,6 +52,8 @@
 #endif
 
 #define DYNAMIC_PORT_NAME_CHARS     96  // number of wchars in an Epmapper dynamic endpoint port name
+#define DYNAMIC_PORT_ID_CHARS       81
+
 
 //---------------------------------------------------------------------------
 
@@ -86,15 +88,12 @@
 //#define wmemchr(mem,c, len)   memchr((mem), (c), (len)*sizeof(WCHAR))
 
 
-typedef enum {
-    SPOOLER_PORT,
-    WPAD_PORT,
-    GAME_CONFIG_STORE_PORT,
-    SMART_CARD_PORT,
-    BT_PORT,
-    SSDP_PORT,
-    NUM_DYNAMIC_PORTS
-} ENUM_DYNAMIC_PORT_TYPE;
+#define SPOOLER_PORT_ID				L"Spooler"
+#define WPAD_PORT_ID				L"WPAD"
+#define GAME_CONFIG_STORE_PORT_ID	L"GamePort"
+#define SMART_CARD_PORT_ID			L"SmartCard"
+#define BT_PORT_ID					L"bthserv"
+#define SSDP_PORT_ID				L"ssdpsrv"
 
 //---------------------------------------------------------------------------
 

Sandboxie/common/my_version.h

@@ -21,9 +21,9 @@
 #ifndef _MY_VERSION_H
 #define _MY_VERSION_H
 
-#define MY_VERSION_BINARY       5,48,5
-#define MY_VERSION_STRING       "5.48.5"
-#define MY_VERSION_COMPAT		"5.48.5" // this refers to the driver ABI compatibility
+#define MY_VERSION_BINARY       5,49,0
+#define MY_VERSION_STRING       "5.49.0"
+#define MY_VERSION_COMPAT		"5.49.0" // this refers to the driver ABI compatibility
 
 // These #defines are used by either Resource Compiler, or by NSIC installer
 #define SBIE_INSTALLER_PATH		"..\\Bin\\"

Sandboxie/core/dll/SboxDll.vcxproj

@@ -99,7 +99,6 @@
     <Link>
       <AdditionalDependencies>ntdll.lib;uuid.lib;kernel32.lib</AdditionalDependencies>
       <ModuleDefinitionFile>SboxDll32.def</ModuleDefinitionFile>
-      <BaseAddress>0x7D220000</BaseAddress>
       <EntryPointSymbol>DllMain</EntryPointSymbol>
       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
       <OptimizeReferences>false</OptimizeReferences>
@@ -118,7 +117,6 @@
     </ClCompile>
     <Link>
       <AdditionalDependencies>ntdll.lib;uuid.lib;kernel32.lib</AdditionalDependencies>
-      <BaseAddress>0x7D220000</BaseAddress>
       <EntryPointSymbol>DllMain</EntryPointSymbol>
       <ModuleDefinitionFile>SboxDll64.def</ModuleDefinitionFile>
       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
@@ -140,7 +138,6 @@
     <Link>
       <AdditionalDependencies>ntdll.lib;uuid.lib;kernel32.lib</AdditionalDependencies>
       <ModuleDefinitionFile>SboxDll32.def</ModuleDefinitionFile>
-      <BaseAddress>0x7D220000</BaseAddress>
       <EntryPointSymbol>DllMain</EntryPointSymbol>
       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
       <OptimizeReferences>false</OptimizeReferences>
@@ -158,7 +155,6 @@
     </ClCompile>
     <Link>
       <AdditionalDependencies>ntdll.lib;uuid.lib;kernel32.lib</AdditionalDependencies>
-      <BaseAddress>0x7D220000</BaseAddress>
       <EntryPointSymbol>DllMain</EntryPointSymbol>
       <ModuleDefinitionFile>SboxDll64.def</ModuleDefinitionFile>
       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
@@ -324,6 +320,12 @@
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
     </ClCompile>
+    <ClCompile Include="scm_msi.c">
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
+    </ClCompile>
     <ClCompile Include="scm_notify.c">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>

Sandboxie/core/dll/SboxDll.vcxproj.filters

@@ -180,6 +180,9 @@
     <ClCompile Include="file_copy.c">
       <Filter>file</Filter>
     </ClCompile>
+    <ClCompile Include="scm_msi.c">
+      <Filter>scm</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="advapi.h" />

Sandboxie/core/dll/SboxDll32.def

@@ -34,7 +34,7 @@ SbieApi_HookTramp=_SbieApi_HookTramp@8
 SbieApi_IsBoxEnabled=_SbieApi_IsBoxEnabled@4
 
 SbieApi_MonitorControl=_SbieApi_MonitorControl@8
-SbieApi_MonitorGet=_SbieApi_MonitorGet@8
+;;; SbieApi_MonitorGet=_SbieApi_MonitorGet@8
 SbieApi_MonitorGetEx=_SbieApi_MonitorGetEx@20
 SbieApi_MonitorPut=_SbieApi_MonitorPut@8
 SbieApi_MonitorPut2=_SbieApi_MonitorPut2@12

Sandboxie/core/dll/com.c

@@ -156,9 +156,9 @@ static void Com_Trace(
 
 static void Com_Trace2(
     const WCHAR* TraceType, REFCLSID rclsid, REFIID riid,
-    ULONG ProcNum, ULONG clsctx, HRESULT hr, USHORT monflag);
+    ULONG ProcNum, ULONG clsctx, HRESULT hr, ULONG monflag);
 
-static void Com_Monitor(REFCLSID rclsid, USHORT monflag);
+static void Com_Monitor(REFCLSID rclsid, ULONG monflag);
 
 #define HSTRING void*
 static HRESULT Com_RoGetActivationFactory(HSTRING activatableClassId, REFIID  iid, void** factory);
@@ -569,7 +569,7 @@ _FX HRESULT Com_CoGetClassObject(
 {
     static const WCHAR *TraceType = L"GETCLS";
     HRESULT hr;
-    USHORT monflag = 0;
+    ULONG monflag = 0;
 
     // debug tip. You can stop the debugger on a COM object load (instantiation) by uncommenting lines below.
 
@@ -620,7 +620,7 @@ _FX HRESULT Com_CoGetObject(
     GUID clsid;
     HRESULT hr;
     IClassFactory *pFactory;
-    USHORT monflag = 0;
+    ULONG monflag = 0;
     BOOLEAN IsOpenClsid = FALSE;
 
     if (_wcsnicmp(pszName, L"Elevation:Administrator!new:", 28) == 0) {
@@ -669,7 +669,7 @@ _FX HRESULT Com_CoCreateInstance(
     static const WCHAR *TraceType = L"CRE-IN";
     HRESULT hr;
     IClassFactory *pFactory;
-    USHORT monflag = 0;
+    ULONG monflag = 0;
 
     if (Com_IsClosedClsid(rclsid)) {
         *ppv = NULL;
@@ -739,7 +739,7 @@ _FX HRESULT Com_CoCreateInstanceEx(
     HRESULT hr;
     IClassFactory *pFactory;
     ULONG i;
-    USHORT monflag = 0;
+    ULONG monflag = 0;
 
     //
     // special cases
@@ -3316,7 +3316,7 @@ _FX void Com_Trace(
 
 _FX void Com_Trace2(
     const WCHAR* TraceType, REFCLSID rclsid, REFIID riid,
-    ULONG ProcNum, ULONG clsctx, HRESULT hr, USHORT monflag)
+    ULONG ProcNum, ULONG clsctx, HRESULT hr, ULONG monflag)
 {
     WCHAR *text;
     WCHAR *ptr;
@@ -3363,7 +3363,7 @@ _FX void Com_Trace2(
 //---------------------------------------------------------------------------
 
 
-_FX void Com_Monitor(REFCLSID rclsid, USHORT monflag)
+_FX void Com_Monitor(REFCLSID rclsid, ULONG monflag)
 {
     if (Dll_BoxName) {
 
@@ -3465,12 +3465,17 @@ _FX BOOLEAN Com_IsClosedRT(const wchar_t* strClassId)
             return TRUE;
     }
 
+    //
+    // this seams to be broken as well
+    //if (wcscmp(strClassId, L"Windows.UI.Notifications.ToastNotificationManager") == 0)
+    //    return TRUE;
+
     static const WCHAR* setting = L"ClosedRT";
     Com_LoadRTList(setting, &Com_ClosedRT);
 
     for (const WCHAR* pName = Com_ClosedRT; pName && *pName; pName += wcslen(pName) + 1) {
 
-        if (wcscmp(strClassId, pName) == 0) 
+        if (wcscmp(strClassId, pName) == 0 || wcscmp(pName, L"*") == 0)
             return TRUE; 
     }