Hesham/wintun
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

api: use SuggestedInstanceId instead of NetSetupAnticipatedInstanceId

Browse Source 
All was well with NetSetupAnticipatedInstanceId, until a bug crept into
recent Windows builds that caused old GUIDs not to be properly removed,
resulting in subsequent adapter creations to fail, because NetSetup
AnticipatedInstanceId considers it fatal when the target GUID
already exists, even if in diminished form.

The initial solution was to detect cruft, and then steal a
TrustedInstaller token and sleuth around the registry cleaning things
up. The horror!

Uncomfortable with this, I reopened IDA and had a look around with fresh
eyes, three years after the original discovery of NetSetupAnticipated
InstanceId. There, I found some interesting behavior in
NetSetupSvcDeviceManager::InstallNetworkInterfaces, which amounts to
something like:

    if (IsSet("RetiredNetCfgInstanceId") {
      if (IsSet("NetSetupAnticipatedInstanceId")
        DeleteAdapter(GetValue("RetiredNetCfgInstanceId"));
      else
        Set("NetSetupAnticipatedInstanceId", GetValue("RetiredNetCfgInstanceId"));
      Delete("RetiredNetCfgInstanceId");
    }
    CreateAdapter = TRUE;
    if (IsSet("NetSetupAnticipatedInstanceId")) {
      Guid = GetValue("NetSetupAnticipatedInstanceId");
      if (AdapterAlreadyExists(Guid))
        CreateAdapter = FALSE;
      else
        SetGuidOfNewAdapter(Guid);
      Delete("NetSetupAnticipatedInstanceId");
    } else if (IsSet("SuggestedInstanceId")) {
      Guid = GetValue("SuggestedInstanceId");
      if (!AdapterAlreadyExists(Guid))
        SetGuidOfNewAdapter(Guid);
      Delete("SuggestedInstanceId");
    }

Thus, one appealing strategy would be to set both NetSetupAnticipated
InstanceId and RetiredInstanceId to the same value, and let the service
handle deleting the old one for us before creating the new one.
However, the cleanup of the old adapter winds up being quasi-
asynchronous, and thus we still wind up in the CreateAdapter = FALSE
case.

So, the remaining strategy is to simply use SuggestedInstanceId instead.
This has the behavior that if there's an adapter already in use, it'll
use a new random GUID. The result is that adapter creation won't fail.

That's not great, but the docs have always made it clear that
"requested" is a best-effort sort of thing. Plus, hopefully the creation
of the new adapter will help nudge the bug a bit and cleanup the old
cruft. In some ways, transitioning from our old strategy of "cudgel the
registry until we get the GUID we want" to "ask politely and accept no
for an answer" is a disappointing regression in functionality. But it
also means we don't need to keep crazy token stealing code around, or
fish around in the registry dangerously. This probably also increases
the likelihood that an adapter will be created during edge cases, which
means fewer errors for users, which could be a good thing. On the
downside, we have the perpetual tensions caused by a system that now
"fails open" instead of "fails closed". But so it goes in Windows land.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2021-07-08 16:59:43 +02:00
parent cf6e441ff5
commit 005af4a9c7
7 changed files with 158 additions and 466 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
api/adapter.c
View File

@ -20,7 +20,6 @@
#include <devpkey.h>
#include "adapter.h"
#include "elevate.h"
#include "entry.h"
#include "logger.h"
#include "namespace.h"
@ -1421,62 +1420,6 @@ static _Return_type_success_(return != NULL) WINTUN_ADAPTER *CreateAdapter(
if (!IsWindows10())
RequestedGUID = NULL;
if (RequestedGUID)
{
WCHAR RegPath[MAX_REG_PATH];
WCHAR RequestedGUIDStr[MAX_GUID_STRING_LEN];
int GuidStrLen = StringFromGUID2(RequestedGUID, RequestedGUIDStr, _countof(RequestedGUIDStr)) * sizeof(WCHAR);
if (_snwprintf_s(
RegPath,
MAX_REG_PATH,
_TRUNCATE,
L"SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\%.*s\\Connection",
GuidStrLen,
RequestedGUIDStr) == -1)
goto guidIsFresh;
HKEY Key;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, RegPath, 0, KEY_QUERY_VALUE, &Key) != ERROR_SUCCESS)
goto guidIsFresh;
WCHAR *InstanceID = RegistryQueryString(Key, L"PnPInstanceId", FALSE);
RegCloseKey(Key);
if (!InstanceID)
goto guidIsFresh;
int Ret = _snwprintf_s(RegPath, MAX_REG_PATH, _TRUNCATE, L"SYSTEM\\CurrentControlSet\\Enum\\%s", InstanceID);
Free(InstanceID);
if (Ret == -1)
goto guidIsFresh;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, RegPath, 0, KEY_QUERY_VALUE, &Key) == ERROR_SUCCESS)
{
RegCloseKey(Key);
MIB_IF_ROW2 IfRow = { 0 };
if (ConvertInterfaceGuidToLuid(RequestedGUID, &IfRow.InterfaceLuid) == NO_ERROR &&
GetIfEntry2(&IfRow) == NO_ERROR && IfRow.OperStatus != IfOperStatusNotPresent)
{
SetLastError(
LOG_ERROR(ERROR_ALREADY_EXISTS, L"Requested GUID is already in use: %s", RequestedGUIDStr));
return NULL;
}
}
LOG(WINTUN_LOG_WARN, L"Requested GUID %s has leftover residue", RequestedGUIDStr);
HANDLE OriginalToken;
if (!ImpersonateService(L"NetSetupSvc", &OriginalToken))
{
LOG_LAST_ERROR(L"Unable to impersonate NetSetupSvc");
goto guidIsFresh; // non-fatal
}
if (_snwprintf_s(
RegPath,
MAX_REG_PATH,
_TRUNCATE,
L"SYSTEM\\CurrentControlSet\\Control\\NetworkSetup2\\Interfaces\\%.*s",
GuidStrLen,
RequestedGUIDStr) == -1 ||
!RegistryDeleteKeyRecursive(HKEY_LOCAL_MACHINE, RegPath))
LOG_LAST_ERROR(L"Unable to delete NetworkSetup2 registry key"); // non-fatal
RestoreToken(OriginalToken);
guidIsFresh:;
}
HDEVINFO DevInfo = SetupDiCreateDeviceInfoListExW(&GUID_DEVCLASS_NET, NULL, NULL, NULL);
if (DevInfo == INVALID_HANDLE_VALUE)
{
@ -1566,19 +1509,13 @@ static _Return_type_success_(return != NULL) WINTUN_ADAPTER *CreateAdapter(
}
if (RequestedGUID)
{
WCHAR RequestedGUIDStr[MAX_GUID_STRING_LEN];
LastError = RegSetValueExW(
NetDevRegKey,
L"NetSetupAnticipatedInstanceId",
0,
REG_SZ,
(const BYTE *)RequestedGUIDStr,
StringFromGUID2(RequestedGUID, RequestedGUIDStr, _countof(RequestedGUIDStr)) * sizeof(WCHAR));
NetDevRegKey, L"SuggestedInstanceId", 0, REG_BINARY, (const BYTE *)RequestedGUID, sizeof(*RequestedGUID));
if (LastError != ERROR_SUCCESS)
{
WCHAR RegPath[MAX_REG_PATH];
LoggerGetRegistryKeyPath(NetDevRegKey, RegPath);
LOG_ERROR(LastError, L"Failed to set %.*s\\NetSetupAnticipatedInstanceId", MAX_REG_PATH, RegPath);
LOG_ERROR(LastError, L"Failed to set %.*s\\SuggestedInstanceId", MAX_REG_PATH, RegPath);
goto cleanupNetDevRegKey;
}
}

2
api/api.vcxproj
View File

@ -156,7 +156,6 @@
<ItemGroup>
<ClInclude Include="entry.h" />
<ClInclude Include="adapter.h" />
<ClInclude Include="elevate.h" />
<ClInclude Include="rundll32_i.c">
<ExcludedFromBuild>true</ExcludedFromBuild>
</ClInclude>
@ -171,7 +170,6 @@
<ItemGroup>
<ClCompile Include="entry.c" />
<ClCompile Include="adapter.c" />
<ClCompile Include="elevate.c" />
<ClCompile Include="logger.c" />
<ClCompile Include="namespace.c" />
<ClCompile Include="registry.c" />

6
api/api.vcxproj.filters
View File

@ -49,9 +49,6 @@
<ClInclude Include="wintun.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="elevate.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="entry.h">
<Filter>Header Files</Filter>
</ClInclude>
@ -84,9 +81,6 @@
<ClCompile Include="session.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="elevate.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="entry.c">
<Filter>Source Files</Filter>
</ClCompile>

248
api/elevate.c
View File

@ -1,248 +0,0 @@
/* SPDX-License-Identifier: GPL-2.0
*
* Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved.
*/
#include "elevate.h"
#include "logger.h"
#include <Windows.h>
#include <TlHelp32.h>
static _Return_type_success_(return != FALSE) BOOL ElevateToSystem(void)
{
HANDLE CurrentProcessToken, ThreadToken, ProcessSnapshot, WinlogonProcess, WinlogonToken, DuplicatedToken;
PROCESSENTRY32W ProcessEntry = { .dwSize = sizeof(PROCESSENTRY32W) };
BOOL Ret;
DWORD LastError = ERROR_SUCCESS;
TOKEN_PRIVILEGES Privileges = { .PrivilegeCount = 1, .Privileges = { { .Attributes = SE_PRIVILEGE_ENABLED } } };
CHAR LocalSystemSid[MAX_SID_SIZE];
DWORD RequiredBytes = sizeof(LocalSystemSid);
struct
{
TOKEN_USER MaybeLocalSystem;
CHAR LargeEnoughForLocalSystem[MAX_SID_SIZE];
} TokenUserBuffer;
Ret = CreateWellKnownSid(WinLocalSystemSid, NULL, &LocalSystemSid, &RequiredBytes);
if (!Ret)
{
LastError = LOG_LAST_ERROR(L"Failed to create SID");
goto cleanup;
}
Ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &CurrentProcessToken);
if (!Ret)
{
LastError = LOG_LAST_ERROR(L"Failed to open process token");
goto cleanup;
}
Ret =
GetTokenInformation(CurrentProcessToken, TokenUser, &TokenUserBuffer, sizeof(TokenUserBuffer), &RequiredBytes);
LastError = GetLastError();
CloseHandle(CurrentProcessToken);
if (!Ret)
{
LOG_ERROR(LastError, L"Failed to get token information");
goto cleanup;
}
if (EqualSid(TokenUserBuffer.MaybeLocalSystem.User.Sid, LocalSystemSid))
return ImpersonateSelf(SecurityImpersonation);
Ret = LookupPrivilegeValueW(NULL, SE_DEBUG_NAME, &Privileges.Privileges[0].Luid);
if (!Ret)
{
LastError = LOG_LAST_ERROR(L"Failed to lookup privilege value");
goto cleanup;
}
ProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (ProcessSnapshot == INVALID_HANDLE_VALUE)
{
LastError = LOG_LAST_ERROR(L"Failed to create toolhelp snapshot");
goto cleanup;
}
for (Ret = Process32FirstW(ProcessSnapshot, &ProcessEntry); Ret;
Ret = Process32NextW(ProcessSnapshot, &ProcessEntry))
{
if (_wcsicmp(ProcessEntry.szExeFile, L"winlogon.exe"))
continue;
RevertToSelf();
Ret = ImpersonateSelf(SecurityImpersonation);
if (!Ret)
{
LastError = GetLastError();
continue;
}
Ret = OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &ThreadToken);
if (!Ret)
{
LastError = GetLastError();
continue;
}
Ret = AdjustTokenPrivileges(ThreadToken, FALSE, &Privileges, 0, NULL, NULL);
LastError = GetLastError();
CloseHandle(ThreadToken);
if (!Ret)
continue;
WinlogonProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ProcessEntry.th32ProcessID);
if (!WinlogonProcess)
{
LastError = GetLastError();
continue;
}
Ret = OpenProcessToken(WinlogonProcess, TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &WinlogonToken);
LastError = GetLastError();
CloseHandle(WinlogonProcess);
if (!Ret)
continue;
Ret = DuplicateToken(WinlogonToken, SecurityImpersonation, &DuplicatedToken);
LastError = GetLastError();
CloseHandle(WinlogonToken);
if (!Ret)
continue;
if (!GetTokenInformation(DuplicatedToken, TokenUser, &TokenUserBuffer, sizeof(TokenUserBuffer), &RequiredBytes))
goto next;
if (!EqualSid(TokenUserBuffer.MaybeLocalSystem.User.Sid, LocalSystemSid))
{
SetLastError(ERROR_ACCESS_DENIED);
goto next;
}
if (!SetThreadToken(NULL, DuplicatedToken))
goto next;
CloseHandle(DuplicatedToken);
CloseHandle(ProcessSnapshot);
return TRUE;
next:
LastError = GetLastError();
CloseHandle(DuplicatedToken);
}
RevertToSelf();
CloseHandle(ProcessSnapshot);
cleanup:
SetLastError(LastError);
return FALSE;
}
_Return_type_success_(return != FALSE) BOOL ImpersonateService(_In_z_ WCHAR *ServiceName, _In_ HANDLE *OriginalToken)
{
HANDLE ThreadToken, ServiceProcess, ServiceToken, DuplicatedToken;
SC_HANDLE Scm, ServiceHandle;
DWORD LastError = ERROR_SUCCESS;
TOKEN_PRIVILEGES Privileges = { .PrivilegeCount = 1, .Privileges = { { .Attributes = SE_PRIVILEGE_ENABLED } } };
SERVICE_STATUS_PROCESS ServiceStatus;
DWORD RequiredBytes;
BOOL Ret = FALSE;
*OriginalToken = NULL;
if (!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, FALSE, OriginalToken) &&
GetLastError() != ERROR_NO_TOKEN)
return FALSE;
if (!ElevateToSystem())
goto cleanup;
if (!LookupPrivilegeValueW(NULL, SE_DEBUG_NAME, &Privileges.Privileges[0].Luid))
{
LastError = LOG_LAST_ERROR(L"Failed to lookup privilege value");
goto cleanup;
}
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &ThreadToken))
{
LastError = LOG_LAST_ERROR(L"Failed to open thread token");
goto cleanup;
}
if (!AdjustTokenPrivileges(ThreadToken, FALSE, &Privileges, 0, NULL, NULL))
{
LastError = LOG_LAST_ERROR(L"Failed to enable SE_DEBUG_NAME");
goto cleanupThreadToken;
}
Scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
if (!Scm)
{
LastError = LOG_LAST_ERROR(L"Failed to open SCM");
goto cleanupThreadToken;
}
ServiceHandle = OpenServiceW(Scm, ServiceName, SERVICE_START | SERVICE_QUERY_STATUS);
if (!ServiceHandle)
{
LastError = LOG_LAST_ERROR(L"Failed to open service %s", ServiceName);
goto cleanupScm;
}
if (!StartServiceW(ServiceHandle, 0, NULL) && GetLastError() != ERROR_SERVICE_ALREADY_RUNNING)
{
LastError = LOG_LAST_ERROR(L"Failed to start service %s", ServiceName);
goto cleanupService;
}
for (int i = 0; i < 1000; ++i)
{
if (!QueryServiceStatusEx(
ServiceHandle, SC_STATUS_PROCESS_INFO, (BYTE *)&ServiceStatus, sizeof(ServiceStatus), &RequiredBytes))
{
LastError = LOG_LAST_ERROR(L"Failed to query service %s", ServiceName);
goto cleanupService;
}
if (ServiceStatus.dwProcessId)
break;
if (i != 999)
Sleep(4);
}
ServiceProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ServiceStatus.dwProcessId);
if (!ServiceProcess)
{
LastError = LOG_LAST_ERROR(L"Failed to open service %s process %u", ServiceName, ServiceStatus.dwProcessId);
goto cleanupService;
}
if (!OpenProcessToken(ServiceProcess, TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &ServiceToken))
{
LastError =
LOG_LAST_ERROR(L"Failed to open token of service %s process %u", ServiceName, ServiceStatus.dwProcessId);
goto cleanupServiceProcess;
}
if (!DuplicateToken(ServiceToken, SecurityImpersonation, &DuplicatedToken))
{
LastError = LOG_LAST_ERROR(
L"Failed to duplicate token of service %s process %u", ServiceName, ServiceStatus.dwProcessId);
goto cleanupServiceToken;
}
if (!SetThreadToken(NULL, DuplicatedToken))
{
LastError = LOG_LAST_ERROR(
L"Failed to set thread token to service %s process %u token", ServiceName, ServiceStatus.dwProcessId);
goto cleanupDuplicatedToken;
}
Ret = TRUE;
cleanupDuplicatedToken:
CloseHandle(DuplicatedToken);
cleanupServiceToken:
CloseHandle(ServiceToken);
cleanupServiceProcess:
CloseHandle(ServiceProcess);
cleanupService:
CloseServiceHandle(ServiceHandle);
cleanupScm:
CloseServiceHandle(Scm);
cleanupThreadToken:
CloseHandle(ThreadToken);
cleanup:
if (!Ret)
{
RestoreToken(*OriginalToken);
*OriginalToken = NULL;
}
SetLastError(LastError);
return Ret;
}
_Return_type_success_(return != FALSE) BOOL RestoreToken(_In_ HANDLE OriginalToken)
{
RevertToSelf();
if (!OriginalToken)
return TRUE;
BOOL Ret = SetThreadToken(NULL, OriginalToken);
DWORD LastError = Ret ? ERROR_SUCCESS : LOG_LAST_ERROR(L"Failed to restore original token");
CloseHandle(OriginalToken);
SetLastError(LastError);
return Ret;
}

12
api/elevate.h
View File

@ -1,12 +0,0 @@
/* SPDX-License-Identifier: GPL-2.0
*
* Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved.
*/
#pragma once
#include <Windows.h>
_Return_type_success_(return != FALSE) BOOL ImpersonateService(_In_z_ WCHAR *ServiceName, _In_ HANDLE *OriginalToken);
_Return_type_success_(return != FALSE) BOOL RestoreToken(_In_ HANDLE OriginalToken);

1
api/session.c
View File

@ -4,7 +4,6 @@
*/
#include "adapter.h"
#include "elevate.h"
#include "entry.h"
#include "logger.h"
#include "wintun.h"

24
driver/driver.vcxproj
View File

@ -66,6 +66,30 @@
<PropertyGroup Condition="'$(Platform)'=='ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>