[Bug 41134] Foxit Reader 8.x service 'FoxitConnectedPDFService.exe' crashes on startup due to invalid database permissions ('ConvertStringSecurityDescriptorToSecurityDescriptor' SDDL / ACL parser must take whitespace between ACEs into account)
WineHQ Bugzilla
wine-bugs at winehq.org
Sat Jan 30 17:11:12 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=41134
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download
Summary|Error message when starting |Foxit Reader 8.x service
|foxit reader-802 |'FoxitConnectedPDFService.e
| |xe' crashes on startup due
| |to invalid database
| |permissions
| |('ConvertStringSecurityDesc
| |riptorToSecurityDescriptor'
| |SDDL / ACL parser must take
| |whitespace between ACEs
| |into account)
Status|UNCONFIRMED |NEW
URL| |https://web.archive.org/web
| |/20170204173145/http://cdn0
| |1.foxitsoftware.com/pub/fox
| |it/reader/desktop/win/8.x/8
| |.2/en_us/FoxitReader82_enu_
| |Setup_clean.exe
Component|-unknown |secur32
Ever confirmed|0 |1
CC| |focht at gmx.net
--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
Adding stable download link via Internet Archive:
https://web.archive.org/web/20170204173145/http://cdn01.foxitsoftware.com/pub/foxit/reader/desktop/win/8.x/8.2/en_us/FoxitReader82_enu_Setup_clean.exe
The app is installed as auto-start service which makes this a bit annoying for
users who don't know how to disable it (remove / manual start type ... ).
--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FoxitReaderService]
"DisplayName"="Foxit Reader Service"
"ErrorControl"=dword:00000001
"ImagePath"="\"C:\\Program Files (x86)\\Foxit Software\\Foxit
Reader\\FoxitConnectedPDFService.exe\""
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000002
"Type"=dword:00000110
"WOW64"=dword:00000001
--- snip ---
Trace log of service startup:
--- snip ---
...
003c:trace:service:load_service_config Image path = L"\"C:\\Program
Files (x86)\\Foxit Software\\Foxit Reader\\FoxitConnectedPDFService.exe\""
003c:trace:service:load_service_config Group = (null)
003c:trace:service:load_service_config Service account name = L"LocalSystem"
003c:trace:service:load_service_config Display name = L"Foxit Reader
Service"
003c:trace:service:load_service_config Service dependencies : (none)
003c:trace:service:load_service_config Group dependencies : (none)
....
00d4:trace:service:svcctl_StartServiceW (0000000000038320, 0, 0000000000000000)
...
00d4:Call KERNEL32.CreateProcessW(00000000,00038360 L"\"C:\\Program Files
(x86)\\Foxit Software\\Foxit
Reader\\FoxitConnectedPDFService.exe\"",00000000,00000000,100000000,00000400,00045170,00000000,0120f3c0,0120f3a0)
ret=140006ae0
...
00d4:Ret KERNEL32.CreateProcessW() retval=00000001 ret=140006ae0
...
0100:trace:msvcrt:msvcrt_init_args got "\"C:\\Program Files (x86)\\Foxit
Software\\Foxit Reader\\FoxitConnectedPDFService.exe\"", wide = L"\"C:\\Program
Files (x86)\\Foxit Software\\Foxit Reader\\FoxitConnectedPDFService.exe\""
argc=1
...
0120:Call KERNEL32.CreateFileW(02026348 L"C:\\ProgramData\\Foxit
Software\\Foxit
Reader\\FoxitConnectPDF\\ConnectPDFLocalDatabase.db",80000000,00000003,00000000,00000003,00000080,00000000)
ret=01938508
...
0120:Call
ntdll.NtCreateFile(0244fa68,80100080,0244fa94,0244fa8c,00000000,00000080,00000003,00000001,00000060,00000000,00000000)
ret=7b012c09
0120:Ret ntdll.NtCreateFile() retval=c0000022 ret=7b012c09
0120:Call ntdll.RtlNtStatusToDosError(c0000022) ret=7b012cee
0120:Ret ntdll.RtlNtStatusToDosError() retval=00000005 ret=7b012cee
...
0120:Ret KERNEL32.CreateFileW() retval=ffffffff ret=01938508
0120:Call KERNEL32.GetLastError() ret=01938519
0120:Ret KERNEL32.GetLastError() retval=00000005 ret=01938519
...
0120:Call
KERNEL32.FormatMessageW(00001300,00000000,00000005,00000000,0244f84c,00000000,00000000)
ret=01936208
0120:Ret KERNEL32.FormatMessageW() retval=00000010 ret=01936208
0120:Call KERNEL32.WideCharToMultiByte(0000fde9,00000000,00181b98 L"Access
denied.\r\n",ffffffff,00000000,00000000,00000000,00000000) ret=01935ffb
...
0120:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,0244fc98)
ret=01ac9791
0120:Call ntdll.memcpy(0244fbf8,0244fc98,0000000c) ret=7b00ff18
0120:Ret ntdll.memcpy() retval=0244fbf8 ret=7b00ff18
0120:trace:seh:dispatch_exception code=e06d7363 flags=1 addr=7B00FF28
ip=7b00ff28 tid=0120
0120:trace:seh:dispatch_exception info[0]=19930520
0120:trace:seh:dispatch_exception info[1]=0244fcc0
0120:trace:seh:dispatch_exception info[2]=01b4ff68
0120:trace:seh:dispatch_exception eax=0244fbe4 ebx=02025a10 ecx=0244fc98
edx=0000000c esi=00000003 edi=0244fc50
0120:trace:seh:dispatch_exception ebp=0244fc38 esp=0244fbe4 cs=7bc50023
ds=244002b es=7bc3002b fs=2440063 gs=006b flags=00000216
0120:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=e06d7363
flags=1
0120:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0120:trace:seh:call_stack_handlers calling handler at 01AF82E9 code=e06d7363
flags=1
0120:Call KERNEL32.GetLastError() ret=01ad2ee7
0120:Ret KERNEL32.GetLastError() retval=00000005 ret=01ad2ee7
...
0120:Call KERNEL32.MultiByteToWideChar(0000fde9,00000000,02025518
"SQLITE_CANTOPEN[14]: unable to open database file",00000031,00000000,00000000)
ret=019a5c69
...
0120:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,0244fae0)
ret=01ac9791
0120:Call ntdll.memcpy(0244fa38,0244fae0,0000000c) ret=7b00ff18
0120:Ret ntdll.memcpy() retval=0244fa38 ret=7b00ff18
0120:trace:seh:dispatch_exception code=e06d7363 flags=1 addr=7B00FF28
ip=7b00ff28 tid=0120
0120:trace:seh:dispatch_exception info[0]=19930520
0120:trace:seh:dispatch_exception info[1]=0244fb00
0120:trace:seh:dispatch_exception info[2]=01b4ff68
0120:trace:seh:dispatch_exception eax=0244fa24 ebx=00000000 ecx=0244fae0
edx=0000000c esi=00000003 edi=0244fa90
0120:trace:seh:dispatch_exception ebp=0244fa78 esp=0244fa24 cs=7bc50023
ds=244002b es=7bc3002b fs=2440063 gs=006b flags=00000216
0120:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=e06d7363
flags=1
0120:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0120:trace:seh:call_stack_handlers calling handler at 01AF8AA8 code=e06d7363
flags=1
...
0120:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,0244f9c0)
ret=01ac9791
0120:Call ntdll.memcpy(0244f918,0244f9c0,0000000c) ret=7b00ff18
0120:Ret ntdll.memcpy() retval=0244f918 ret=7b00ff18
0120:trace:seh:dispatch_exception code=e06d7363 flags=1 addr=7B00FF28
ip=7b00ff28 tid=0120
0120:trace:seh:dispatch_exception info[0]=19930520
0120:trace:seh:dispatch_exception info[1]=0244f9e0
0120:trace:seh:dispatch_exception info[2]=01b4ff68
0120:trace:seh:dispatch_exception eax=0244f904 ebx=02025a10 ecx=0244f9c0
edx=0000000c esi=00000003 edi=0244f970
0120:trace:seh:dispatch_exception ebp=0244f958 esp=0244f904 cs=7bc50023
ds=244002b es=7bc3002b fs=2440063 gs=006b flags=00000212
0120:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=e06d7363
flags=1
0120:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0120:trace:seh:call_stack_handlers calling handler at 01AF83D8 code=e06d7363
flags=1
...
0120:Call KERNEL32.IsDebuggerPresent() ret=00501615
0120:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00501615
0120:Call KERNEL32.SetUnhandledExceptionFilter(00000000) ret=0050161f
0120:Ret KERNEL32.SetUnhandledExceptionFilter() retval=00505af8 ret=0050161f
0120:Call KERNEL32.UnhandledExceptionFilter(0244edf4) ret=0050162c
...
0120:trace:seh:start_debugger Starting debugger L"winedbg --auto 252 304"
...
0128:Call user32.SetDlgItemTextW(0002003e,00000065,0031efc0 L"The program
FoxitConnectedPDFService.exe has encountered a serious problem and needs to
close. We are sorry for the inconvenience.") ret=7e956723
--- snip ---
Checking on the database file:
--- snip ---
$ ll .wine/drive_c/ProgramData/Foxit\ Software/Foxit\ Reader/FoxitConnectPDF/
total 4
----------. 1 focht focht 0 Jan 30 21:15 ConnectPDFLocalDatabase.db
drwxrwxr-x. 2 focht focht 4096 Jan 30 21:15 Log
--- snip ---
Whoops, that's not going to work. After fixing the file permissions the service
starts successfully and the SQLite db is filled with content:
--- snip ---
$ ll .wine/drive_c/ProgramData/Foxit\ Software/Foxit\ Reader/FoxitConnectPDF/
total 20
-rw-r--r--. 1 focht focht 14336 Jan 30 21:38 ConnectPDFLocalDatabase.db
drwxrwxr-x. 2 focht focht 4096 Jan 30 21:15 Log
--- snip ---
The database file gets created at the very first time the service is started
(by installer). Tracing the installer with clean WINEPREFIX:
--- snip ---
WINEDEBUG=+seh,+relay,+msi,+server,+advapi,+security wine
./FoxitReader82_enu_Setup_clean.exe >>log.txt 2>&1
...
01ec:Call advapi32.CreateServiceW(00180580,014a4270
L"FoxitReaderService",014a8e78 L"Foxit Reader
Service",000f01ff,00000110,00000002,00000001,014a8eb0 L"\"C:\\Program Files
(x86)\\Foxit Software\\Foxit
Reader\\FoxitConnectedPDFService.exe\"",00000000,00000000,0054c364
L"",00000000,00000000) ret=00404ff3
...
01ec:Ret advapi32.CreateServiceW() retval=00180448 ret=00404ff3
...
01ec:Call advapi32.StartServiceW(00180728,00000000,00000000) ret=00405046
...
01ec:Ret advapi32.StartServiceW() retval=00000001 ret=00405046
...
...
01a4:Call KERNEL32.CreateProcessW(00000000,00049ef0 L"\"C:\\Program Files
(x86)\\Foxit Software\\Foxit
Reader\\FoxitConnectedPDFService.exe\"",00000000,00000000,100000000,00000400,00044de0,00000000,00fef3c0,00fef3a0)
ret=140006ae0
...
01a4:Ret KERNEL32.CreateProcessW() retval=00000001 ret=140006ae0
...
020c:Call KERNEL32.LoadLibraryW(014a60f8 L"C:\\Program Files (x86)\\Foxit
Software\\Foxit Reader\\plugins\\ServicePlugin\\ConnectPDFService.dll")
ret=0040257e
...
020c:Call PE DLL (proc=01AC9060,module=01920000
L"ConnectPDFService.dll",reason=PROCESS_ATTACH,res=00000000)
...
020c:Ret KERNEL32.LoadLibraryW() retval=01920000 ret=0040257e
...
020c:Call KERNEL32.GetProcAddress(01920000,0054b938 "FLS_PlugInMain")
ret=00402630
020c:Ret KERNEL32.GetProcAddress() retval=019afc70 ret=00402630
...
021c:Call KERNEL32.FindFirstFileW(0244fab4 L"C:\\ProgramData\\Foxit
Software\\Foxit
Reader\\\\FoxitConnectPDF\\ConnectPDFLocalDatabase.db",0244f864) ret=019d2634
...
021c:Ret KERNEL32.FindFirstFileW() retval=ffffffff ret=019d2634
...
021c:Call
advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW(01b33098 L"D:
(D;OICI;GA;;;BG) (D;OICI;GA;;;AN) (A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA)
",00000001,0244fc9c,00000000) ret=019a6417
...
021c:trace:security:parse_acl L" (D;OICI;GA;;;BG) (D;OICI;GA;;;AN)
(A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA) "
...
021c:trace:security:parse_acl L" (D;OICI;GA;;;BG) (D;OICI;GA;;;AN)
(A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA) "
...
021c:Call kernelbase.GetSidLengthRequired(00000002) ret=003d3082
021c:Ret kernelbase.GetSidLengthRequired() retval=00000010 ret=003d3082
021c:Call ucrtbase.wcsncmp(003e32e0 L"",00180904 L"BG) (D;OICI;GA;;;AN)
(A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA) ",00000002) ret=003d3175
021c:Ret ucrtbase.wcsncmp() retval=ffffffbe ret=003d3175
021c:Call ucrtbase.wcsncmp(003e332c L"WD\0001",00180904 L"BG) (D;OICI;GA;;;AN)
(A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA) ",00000002) ret=003d3175
021c:Ret ucrtbase.wcsncmp() retval=00000015 ret=003d3175
...
021c:Call ucrtbase.wcsncmp(003e3b7c L"BG\001c",00180904 L"BG) (D;OICI;GA;;;AN)
(A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA) ",00000002) ret=003d3175
021c:Ret ucrtbase.wcsncmp() retval=00000000 ret=003d3175
...
021c:Ret advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW()
retval=00000001 ret=019a6417
021c:Call KERNEL32.CreateFileW(02025f10 L"C:\\ProgramData\\Foxit
Software\\Foxit
Reader\\\\FoxitConnectPDF\\ConnectPDFLocalDatabase.db",10000000,00000000,0244fc98,00000001,00000080,00000000)
ret=019a6465
...
021c:Call
ntdll.NtCreateFile(0244fbd8,10100080,0244fc04,0244fbfc,00000000,00000080,00000000,00000002,00000060,00000000,00000000)
ret=7b012c09
021c: create_file( access=10100080, sharing=00000000, create=2,
options=00000060, attrs=00000080,
objattr={rootdir=0000,attributes=00000040,sd={control=00000004,owner=<not
present>,group=<not
present>,sacl={},dacl={{AceType=ACCESS_DENIED_ACE_TYPE,Mask=10000000,AceFlags=3,Sid={S-1-5-32-546}}}},name=L""},
filename="/home/focht/.wine/dosdevices/c:/ProgramData/Foxit Software/Foxit
Reader/FoxitConnectPDF/ConnectPDFLocalDatabase.db" )
021c: create_file() = 0 { handle=0124 }
021c:Ret ntdll.NtCreateFile() retval=00000000 ret=7b012c09
...
021c:Ret KERNEL32.CreateFileW() retval=00000124 ret=019a6465
...
--- snip ---
sd = {
control=00000004,
owner=<not present>,
group=<not present>,
sacl={},
dacl={{AceType=ACCESS_DENIED_ACE_TYPE,Mask=10000000,AceFlags=3,Sid={S-1-5-32-546}}}},
name=L"" }
'S-1-5-32-546' = BUILTIN_GUESTS
That looks suspicious ... there should be more ACEs!
Decoding SDDL string 'D: (D;OICI;GA;;;BG) (D;OICI;GA;;;AN)
(A;OICI;GAGRGWGX;;;AU) (A;OICI;GA;;;BA)' to human readable for reference:
Security Descriptor:
| Owner | Group | DACL Prot. | SACL Prot. | DACL Canonical | SACL Canonical |
=============================================================================
| n/a | n/a | False | False | True | True |
ACL:
| Identity Reference, Trustee | Access | ApplyTo | Permission |
=============================================================================
| BUILTIN\Guests | Deny | This and Childs | 0x10000000 |
| NT AUTHORITY\ANONYMOUS LOGON | Deny | This and Childs | 0x10000000 |
| BUILTIN\Administrators | Allow | This and Childs | 0x10000000 |
| NT AUTHORITY\Authenticated Users | Allow | This and Childs | -268435456 |
It seems Wine's ACL parser doesn't take whitespace between the ACEs into
account, stopping after first ACE.
Wine source:
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2a7101d14:/dlls/sechost/security.c#l941
--- snip ---
941 static BOOL parse_acl( const WCHAR *string, DWORD *flags, ACL *acl, DWORD
*ret_size )
942 {
943 DWORD val;
944 DWORD sidlen;
945 DWORD length = sizeof(ACL);
946 DWORD acesize = 0;
947 DWORD acecount = 0;
948 ACCESS_ALLOWED_ACE *ace = NULL; /* pointer to current ACE */
949
950 TRACE("%s\n", debugstr_w(string));
951
952 if (acl) /* ace is only useful if we're setting values */
953 ace = (ACCESS_ALLOWED_ACE *)(acl + 1);
954
955 /* Parse ACL flags */
956 *flags = parse_acl_flags( &string );
957
958 /* Parse ACE */
959 while (*string == '(')
960 {
961 string++;
963 /* Parse ACE type */
964 val = parse_ace_type( &string );
...
1017 if (*string != ')')
1018 goto err;
1019 string++;
1020
1021 acesize = sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + sidlen;
1022 length += acesize;
1023 if (ace)
1024 {
1025 ace->Header.AceSize = acesize;
1026 ace = (ACCESS_ALLOWED_ACE *)((BYTE *)ace + acesize);
1027 }
1028 acecount++;
1029 }
1030
1031 *ret_size = length;
1032
1033 if (length > 0xffff)
1034 {
1035 ERR("ACL too large\n");
1036 goto err;
1037 }
1038
1039 if (acl)
1040 {
1041 acl->AclRevision = ACL_REVISION;
1042 acl->Sbz1 = 0;
1043 acl->AclSize = length;
1044 acl->AceCount = acecount;
1045 acl->Sbz2 = 0;
1046 }
1047 return TRUE;
1048
1049 err:
1050 SetLastError( ERROR_INVALID_ACL );
1051 WARN("Invalid ACE string format\n");
1052 return FALSE;
1053 }
--- snip ---
$ sha1sum FoxitReader82_enu_Setup_clean.exe
8e315a0ed99a8c88f3e5a0baef3fcb892c1a5448 FoxitReader82_enu_Setup_clean.exe
$ du -sh FoxitReader82_enu_Setup_clean.exe
52M FoxitReader82_enu_Setup_clean.exe
$ wine --version
wine-6.1
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list