Created
May 14, 2020 00:37
-
-
Save taviso/b65562b083c9b5cf98adfa0642845aa2 to your computer and use it in GitHub Desktop.
Attempt to reset a FWP Engine Security Descriptor.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include <fwpmu.h> | |
#include <sddl.h> | |
#include <malloc.h> | |
// | |
// Attempt to reset a FWP Engine Security Descriptor. | |
// For https://github.com/henrypp/simplewall/issues/680 | |
// | |
// Tavis Ormandy -- taviso@gmail.com | |
// | |
#pragma comment(lib, "FWPUCLNT") | |
#pragma comment(lib, "ADVAPI32") | |
char DefaultSecurityInfo[] = | |
"O:LS" // Owner: Local service | |
"G:LS" // Group: Local service | |
"D:AI" // Dacl: (Auto Inherited) | |
// Builtin Administrators | |
"(A;;0xf07ff;;;BA)" | |
"(A;OICIIO;GA;;;BA)" | |
// Network configuration operators | |
"(A;;0x307ff;;;NO)" | |
"(A;OICIIO;GXGWGR;;;NO)" | |
// MpsSvc (Malware Protection) | |
"(A;;0x307ff;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)" | |
"(A;OICIIO;GXGWGR;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)" | |
// NlaSvc (Network Location Awareness) | |
"(A;;0x203f4;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)" | |
"(A;OICIIO;GXGR;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)" | |
// PolicyAgent | |
"(A;;0x307ff;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)" | |
"(A;OICIIO;GXGWGR;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)" | |
// RpcSs | |
"(A;;0x307ff;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)" | |
"(A;OICIIO;GXGWGR;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)" | |
// WdiServiceHost | |
"(A;;0x203f4;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)" | |
"(A;OICIIO;GXGR;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)" | |
// IKE/IpSec | |
"(A;;0x307ff;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)" | |
"(A;OICIIO;GXGWGR;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)" | |
// Everyone (Write Properties / Delete Subtree) | |
"(A;OICI;RPDT;;;WD)"; | |
int main(int argc, char **argv) | |
{ | |
HANDLE EngineHandle; | |
PSECURITY_DESCRIPTOR EngineOwner; | |
LPSTR CurrentSecurityInfo; | |
if (FwpmEngineOpen0(NULL, | |
RPC_C_AUTHN_DEFAULT, | |
NULL, | |
NULL, | |
&EngineHandle) != ERROR_SUCCESS) { | |
fprintf(stderr, "FwpmEngineOpen0 failed, %#X\n", GetLastError()); | |
return 1; | |
} | |
if (FwpmEngineGetSecurityInfo0(EngineHandle, | |
OWNER_SECURITY_INFORMATION | |
| GROUP_SECURITY_INFORMATION | |
| DACL_SECURITY_INFORMATION, | |
NULL, | |
NULL, | |
NULL, | |
NULL, | |
&EngineOwner) != ERROR_SUCCESS) { | |
fprintf(stderr, "FwpmEngineGetSecurityInfo0 Failed, %#x\n", GetLastError()); | |
return 1; | |
} | |
if (ConvertSecurityDescriptorToStringSecurityDescriptorA(EngineOwner, | |
SDDL_REVISION_1, | |
OWNER_SECURITY_INFORMATION | |
| GROUP_SECURITY_INFORMATION | |
| SACL_SECURITY_INFORMATION | |
| DACL_SECURITY_INFORMATION, | |
&CurrentSecurityInfo, | |
NULL) == FALSE) { | |
fprintf(stderr, "Failed to parse descriptor %#x\n", GetLastError()); | |
return 1; | |
} | |
fprintf(stderr, "Filter Engine Security Descriptor: %s\n", CurrentSecurityInfo); | |
if (strcmp(CurrentSecurityInfo, DefaultSecurityInfo) != 0) { | |
fprintf(stderr, "*** WARNING ***\n"); | |
fprintf(stderr, "This is not the default BFE security descrptor.\n"); | |
fprintf(stderr, "Would you like me to restore the default? y/n "); | |
fflush(stderr); | |
if (_getch() == 'y') { | |
PSECURITY_DESCRIPTOR AbsSecurityDescriptor; | |
PSECURITY_DESCRIPTOR RelSecurityDescriptor; | |
PACL pDacl, pSacl; | |
PSID pOwner, pGroup; | |
DWORD DaclSize, SaclSize; | |
DWORD OwnerSize, GroupSize; | |
DWORD AbsSecurityDescriptorSize; | |
PSID DefaultSid; | |
fputc('\n', stderr); | |
if (ConvertStringSecurityDescriptorToSecurityDescriptorA(DefaultSecurityInfo, | |
SDDL_REVISION_1, | |
&RelSecurityDescriptor, | |
NULL) == FALSE) { | |
fprintf(stderr, "Sorry, failed to convert descritpor\n"); | |
fprintf(stderr, "No changes were made.\n"); | |
return 1; | |
} | |
// Now we have to make it an absolute descriptor so that we can get | |
// the component pointers. | |
MakeAbsoluteSD(RelSecurityDescriptor, | |
NULL, | |
&AbsSecurityDescriptorSize, | |
NULL, | |
&DaclSize, | |
NULL, | |
&SaclSize, | |
NULL, | |
&OwnerSize, | |
NULL, | |
&GroupSize); | |
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { | |
fprintf(stderr, "Unexpected Result from MakeAbsoluteSD()\n"); | |
return 1; | |
} | |
// Allocate the requested sizes. | |
AbsSecurityDescriptor = _malloca(AbsSecurityDescriptorSize); | |
pDacl = _malloca(DaclSize); | |
pSacl = _malloca(SaclSize); | |
pOwner = _malloca(OwnerSize); | |
pGroup = _malloca(GroupSize); | |
if (!MakeAbsoluteSD(RelSecurityDescriptor, | |
AbsSecurityDescriptor, | |
&AbsSecurityDescriptorSize, | |
pDacl, | |
&DaclSize, | |
pSacl, | |
&SaclSize, | |
pOwner, | |
&OwnerSize, | |
pGroup, | |
&GroupSize)) { | |
fprintf(stderr, "MakeAbsoluteSD failed to parse descriptor\n"); | |
return 1; | |
} | |
DWORD Result; | |
Result = FwpmEngineSetSecurityInfo0(EngineHandle, | |
GROUP_SECURITY_INFORMATION | |
| DACL_SECURITY_INFORMATION, | |
pOwner, | |
pGroup, | |
pDacl, | |
pSacl); | |
if (Result != ERROR_SUCCESS) { | |
fprintf(stderr, "Sorry, failed to reset security descriptor, %#x\n", Result); | |
return 1; | |
} | |
// No need to free the absolute descriptor, it's on the stack. | |
LocalFree(RelSecurityDescriptor); | |
} | |
} else { | |
fprintf(stderr, "OK, that's the default ACL\n"); | |
} | |
fputc('\n', stderr); | |
LocalFree(CurrentSecurityInfo); | |
FwpmFreeMemory0(&EngineOwner); | |
FwpmEngineClose0(EngineHandle); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment