[Bug 36327] Dameware Mini Remote Control 10.x licensing tool (.NET 2.0 app ) fails during post-install step ( SE_SECURITY_NAME privilege of calling thread access token not respected when retrieving SACL via GetSecurityInfo )
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Mar 17 14:16:30 CDT 2019
https://bugs.winehq.org/show_bug.cgi?id=36327
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|advapi32 |wineserver
Summary|Dameware Mini Remote |Dameware Mini Remote
|Control 10.x licensing tool |Control 10.x licensing tool
|fails during post-install |(.NET 2.0 app) fails during
|step |post-install step
| |(SE_SECURITY_NAME privilege
| |of calling thread access
| |token not respected when
| |retrieving SACL via
| |GetSecurityInfo)
URL|http://downloads.solarwinds |https://web.archive.org/web
|.com/solarwinds/Release/Dam |/20190317110303/https://dow
|eWare/v10/DameWare-MRC32-Ev |nloads.solarwinds.com/solar
|al-v10.0.0.exe |winds/Release/DameWare/v10/
| |DameWare-MRC32-Eval-v10.0.0
| |.exe
--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
revisiting, still present.
Adding stable download from Internet archive:
https://web.archive.org/web/20190317110303/https://downloads.solarwinds.com/solarwinds/Release/DameWare/v10/DameWare-MRC32-Eval-v10.0.0.exe
The installer currently suffers from a regression -> bug 46833
Working around that it yields the same problem as years ago.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/ProgramData/SolarWinds/DameWare Development/MrcEXEs
$ WINEDEBUG=+seh,+relay,+msi,+server wine ./DWMRC10x_32.exe >>log.txt 2>&1
...
004a:trace:msi:HANDLE_CustomType34 cmd L"\"C:\\Program
Files\\SolarWinds\\DameWare Mini Remote Control
10.0\\SolarWinds.MRC.Licensor.exe\"" dir L"C:\\Program
Files\\SolarWinds\\DameWare Mini Remote Control 10.0\\"
004a:Call KERNEL32.CreateProcessW(00000000,008bcd48 L"\"C:\\Program
Files\\SolarWinds\\DameWare Mini Remote Control
10.0\\SolarWinds.MRC.Licensor.exe\"",00000000,00000000,00000000,00000000,00000000,008b40e0
L"C:\\Program Files\\SolarWinds\\DameWare Mini Remote Control
10.0\\",0032e9ac,0032e99c) ret=7badcd44
...
0060:Call advapi32.RegOpenKeyExW(000001fc,00919ff8
L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}",00000000,0002001f,0032f0ac)
ret=0036bd4b
0060: open_key( parent=01fc, access=0002001f, attributes=00000000,
name=L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}" )
0060: open_key() = OBJECT_NAME_NOT_FOUND { hkey=0000 }
0060:Ret advapi32.RegOpenKeyExW() retval=00000002 ret=0036bd4b
...
0060:Call advapi32.RegCreateKeyExW(000001fc,00919ff8
L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}",00000000,00000000,00000000,0002001f,00000000,0032f0b8,0032f148)
ret=0036be6f
0060: create_key( access=0002001f, options=00000000,
objattr={rootdir=01fc,attributes=00000000,sd={},name=L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}"},
class=L"" )
0060: create_key() = 0 { hkey=0200, created=1 }
0060:Ret advapi32.RegCreateKeyExW() retval=00000000 ret=0036be6f
...
0060:Call advapi32.OpenProcessToken(ffffffff,00000002,0032ef24) ret=0036a592
0060: open_token( handle=ffffffff, access=00000002, attributes=00000000,
flags=00000000 )
0060: open_token() = 0 { token=0208 }
0060:Ret advapi32.OpenProcessToken() retval=00000001 ret=0036a592
0060:Call KERNEL32.GetLastError() ret=0036a598
0060:Ret KERNEL32.GetLastError() retval=00000000 ret=0036a598
...
0060:Call advapi32.OpenThreadToken(fffffffe,00000028,00000001,0032ef4c)
ret=79f30451
0060: open_token( handle=fffffffe, access=00000028, attributes=00000000,
flags=00000003 )
0060: open_token() = NO_TOKEN { token=0000 }
0060:Ret advapi32.OpenThreadToken() retval=00000000 ret=79f30451
0060:Call KERNEL32.GetLastError() ret=79f061ff
0060:Ret KERNEL32.GetLastError() retval=000003f0 ret=79f061ff
...
0060:Call
advapi32.DuplicateTokenEx(00000208,0000002c,00000000,00000002,00000002,0032ef14)
ret=0408019e
0060: duplicate_token( handle=0208, access=0000002c, primary=0,
impersonation_level=2,
objattr={rootdir=0000,attributes=00000000,sd={},name=L""} )
0060: duplicate_token() = 0 { new_handle=020c }
0060:Ret advapi32.DuplicateTokenEx() retval=00000001 ret=0408019e
0060:Call KERNEL32.GetLastError() ret=040801a4
0060:Ret KERNEL32.GetLastError() retval=000003f0 ret=040801a4
...
0060:Call advapi32.SetThreadToken(00000000,0000020c) ret=7a02c163
0060: set_thread_info( handle=fffffffe, mask=4, priority=0, affinity=00000000,
entry_point=00000000, token=020c )
0060: set_thread_info() = 0
0060:Ret advapi32.SetThreadToken() retval=00000001 ret=7a02c163
...
0060:Call
advapi32.AdjustTokenPrivileges(0000020c,00000000,0032efe4,00000010,0032efd4,0032efd0)
ret=0036b972
0060: adjust_token_privileges( handle=020c, disable_all=0,
get_modified_state=1, privileges={{luid=0000000000000008,attr=2}} )
0060: adjust_token_privileges() = 0 { len=0000000c,
privileges={{luid=0000000000000008,attr=0}} }
0060:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=0036b972
0060:Call KERNEL32.GetLastError() ret=0036b978
0060:Ret KERNEL32.GetLastError() retval=00000000 ret=0036b978
...
0060:Call
advapi32.GetSecurityInfo(00000200,00000004,0000000f,0032f04c,0032f048,0032f044,0032f040,0032f03c)
ret=0036ba68
0060: get_security_object( handle=0200, security_info=0000000f )
0060: get_security_object() = ACCESS_DENIED { sd_len=00000000, sd={} }
0060:Ret advapi32.GetSecurityInfo() retval=00000005 ret=0036ba68
0060:Call KERNEL32.GetLastError() ret=0036ba6e
0060:Ret KERNEL32.GetLastError() retval=00000000 ret=0036ba6e
...
0060:Call KERNEL32.RaiseException(e0434f4d,00000001,00000001,0032ef38)
ret=79f97065
0060:trace:seh:raise_exception code=e0434f4d flags=1 addr=0x7b44c03b
ip=7b44c03b tid=0060
0060:trace:seh:raise_exception info[0]=80070005
0060:trace:seh:raise_exception eax=7b43a48d ebx=0015d9c8 ecx=00000000
edx=0032ef18 esi=0032ef18 edi=0032eee0
0060:trace:seh:raise_exception ebp=0032eeb8 esp=0032ee54 cs=320023 ds=32002b
es=f7c6002b fs=f7c60063 gs=f7c6006b flags=00200212
0060:trace:seh:call_stack_handlers calling handler at 0x79f9a3c8 code=e0434f4d
flags=1
0060:Call
msvcr80._except_handler4_common(7a381240,79e717fb,0032ee60,0032ef50,0032eb7c,0032ea4c)
ret=79f9a3e7
...
System.UnauthorizedAccessException: Attempted to perform an unauthorized
operation.
at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType
resourceType, String name, SafeHandle handle, AccessControlSections
accessControlSections, RawSecurityDescriptor& resultSd)
at
System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType
resourceType, Boolean isContainer, String name, SafeHandle handle,
AccessControlSections includeSections, Boolean createByName,
ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean
isContainer, ResourceType resourceType, SafeHandle handle,
AccessControlSections includeSections, ExceptionFromErrorCode
exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle
hKey, String name, AccessControlSections includeSections)
at Microsoft.Win32.RegistryKey.GetAccessControl(AccessControlSections
includeSections)
at SolarWinds.Licensing.Framework.RegistryUtil.SetRegistryRights(RegistryKey
swKey, AccessControlSections section)
at SolarWinds.Licensing.Framework.RegistryUtil.SetRegistryRights(RegistryKey
swKey)
at SolarWinds.Licensing.Framework.RegistryUtil.GetRegistryKey(Boolean
writable)
at
SolarWinds.Licensing.Framework.RegistryUtil.GetDefaultSymmetricAlgorithm()
at
SolarWinds.Licensing.Framework.Store.LicenseStoreDAL.GetSymmetricAlgorithm(String&
defaultAlgo)
at SolarWinds.Licensing.Framework.Store.LicenseStoreDAL.InitializeStore()
at SolarWinds.Licensing.Framework.Store.LicenseStoreDAL..ctor()
at
SolarWinds.Licensing.Framework.Store.SingletonLicenseStoreFactory.get_StoreInstance()
at SolarWinds.Licensing.Framework.LicenseManager..ctor(ILicenseStore store,
IOnlineLicenseManager onlineManager)
at SolarWinds.Licensing.Framework.LicenseManager.GetInstance()
at SolarWinds.MRC.Licensor.Program.RunLicensingWindow(Boolean
silentInstallation, Dictionary`2 activationArguments, Boolean forceOnlineCheck)
at SolarWinds.MRC.Licensor.Program.Main(String[] args)
...
0060:trace:seh:start_debugger Starting debugger "winedbg --auto 95 528"
--- snip ---
Microsoft Core CLR:
https://github.com/dotnet/corefx/blob/master/src/System.Security.AccessControl/src/System/Security/AccessControl/NativeObjectSecurity.cs#L97
https://github.com/dotnet/corefx/blob/a10890f4ffe0fadf090c922578ba0e606ebdd16c/src/Microsoft.Win32.Registry/src/System/Security/AccessControl/RegistrySecurity.cs
App managed code:
--- snip ---
...
public static bool SetRegistryRights(RegistryKey swKey)
{
if (!Utility.IsAnAdministrator())
return false;
try
{
RegistryUtil.SetRegistryRights(swKey, AccessControlSections.All);
}
catch (PrivilegeNotHeldException ex)
{
Logger.Log.Info((object) "Caught expected PrivilegeNotHeldException:",
(Exception) ex);
Logger.Log.Info((object) "Attempting to set privs with reduced control
sections.");
RegistryUtil.SetRegistryRights(swKey, AccessControlSections.Access);
}
return true;
}
...
private static void SetRegistryRights(RegistryKey swKey,
AccessControlSections section)
{
AuthorizationRuleCollection accessRules =
swKey.GetAccessControl(section).GetAccessRules(true, false, typeof
(SecurityIdentifier));
RegistrySecurity registrySecurity = new RegistrySecurity();
foreach (AuthorizationRule authorizationRule in (ReadOnlyCollectionBase)
accessRules)
registrySecurity.AddAccessRule((RegistryAccessRule) authorizationRule);
RegistryAccessRule rule = new RegistryAccessRule((IdentityReference) new
SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, (SecurityIdentifier)
null), RegistryRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.None,
AccessControlType.Allow);
registrySecurity.AddAccessRule(rule);
swKey.SetAccessControl(registrySecurity);
}
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows/desktop/secauthz/sacl-access-right
--- quote ---
SACL Access Right
The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the
SACL in an object's security descriptor. The system grants this access right
only if the SE_SECURITY_NAME privilege is enabled in the access token of the
requesting thread.
To access an object's SACL
1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME
privilege.
2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to
the object.
3. Get or set the object's SACL by using a function such as GetSecurityInfo or
SetSecurityInfo.
4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.
To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo
functions, enable the SE_SECURITY_NAME privilege. The function internally
requests the access right.
The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do
not control access to a SACL. However, you can use the ACCESS_SYSTEM_SECURITY
access right in a SACL to audit attempts to use the access right.
--- quote ---
Apparently wineserver doesn't honour SE_SECURITY_NAME privilege from calling
thread's access token when checking the access rights on the registry key. It
just compares the registry key access rights from the creation of the key
(0x2001f) with the get_security_object SACL_SECURITY_INFORMATION implied one
(0x1020000 -> READ_CONTROL | ACCESS_SYSTEM_SECURITY) which obviously fails.
$ sha1sum DameWare-MRC32-Eval-v10.0.0.exe
5181070b3c13720a14072dc50c1aa1f4b82b7e3a DameWare-MRC32-Eval-v10.0.0.exe
$ du -sh DameWare-MRC32-Eval-v10.0.0.exe
58M DameWare-MRC32-Eval-v10.0.0.exe
$ wine --version
wine-4.4
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list