Skip to content

Instantly share code, notes, and snippets.

@taviso

taviso/fwpacl.c

Created May 14, 2020 00:37
Show Gist options
  • Save taviso/b65562b083c9b5cf98adfa0642845aa2 to your computer and use it in GitHub Desktop.
Save taviso/b65562b083c9b5cf98adfa0642845aa2 to your computer and use it in GitHub Desktop.
Download ZIP
Attempt to reset a FWP Engine Security Descriptor.
Raw
fwpacl.c
#include <stdio.h>
#include <windows.h>
#include <fwpmu.h>
#include <sddl.h>
#include <malloc.h>
//
// Attempt to reset a FWP Engine Security Descriptor.
// For https://github.com/henrypp/simplewall/issues/680
//
// Tavis Ormandy -- [email protected]
//
#pragma comment(lib, "FWPUCLNT")
#pragma comment(lib, "ADVAPI32")
char DefaultSecurityInfo[] =
"O:LS" // Owner: Local service
"G:LS" // Group: Local service
"D:AI" // Dacl: (Auto Inherited)
// Builtin Administrators
"(A;;0xf07ff;;;BA)"
"(A;OICIIO;GA;;;BA)"
// Network configuration operators
"(A;;0x307ff;;;NO)"
"(A;OICIIO;GXGWGR;;;NO)"
// MpsSvc (Malware Protection)
"(A;;0x307ff;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)"
"(A;OICIIO;GXGWGR;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)"
// NlaSvc (Network Location Awareness)
"(A;;0x203f4;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)"
"(A;OICIIO;GXGR;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)"
// PolicyAgent
"(A;;0x307ff;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)"
"(A;OICIIO;GXGWGR;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)"
// RpcSs
"(A;;0x307ff;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)"
"(A;OICIIO;GXGWGR;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)"
// WdiServiceHost
"(A;;0x203f4;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)"
"(A;OICIIO;GXGR;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)"
// IKE/IpSec
"(A;;0x307ff;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)"
"(A;OICIIO;GXGWGR;;;S-1-5-80-1510742542-3632397484-604094731-3920060944-1272132581)"
// Everyone (Write Properties / Delete Subtree)
"(A;OICI;RPDT;;;WD)";
int main(int argc, char **argv)
{
HANDLE EngineHandle;
PSECURITY_DESCRIPTOR EngineOwner;
LPSTR CurrentSecurityInfo;
if (FwpmEngineOpen0(NULL,
RPC_C_AUTHN_DEFAULT,
NULL,
NULL,
&EngineHandle) != ERROR_SUCCESS) {
fprintf(stderr, "FwpmEngineOpen0 failed, %#X\n", GetLastError());
return 1;
}
if (FwpmEngineGetSecurityInfo0(EngineHandle,
OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION,
NULL,
NULL,
NULL,
NULL,
&EngineOwner) != ERROR_SUCCESS) {
fprintf(stderr, "FwpmEngineGetSecurityInfo0 Failed, %#x\n", GetLastError());
return 1;
}
if (ConvertSecurityDescriptorToStringSecurityDescriptorA(EngineOwner,
SDDL_REVISION_1,
OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| SACL_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION,
&CurrentSecurityInfo,
NULL) == FALSE) {
fprintf(stderr, "Failed to parse descriptor %#x\n", GetLastError());
return 1;
}
fprintf(stderr, "Filter Engine Security Descriptor: %s\n", CurrentSecurityInfo);
if (strcmp(CurrentSecurityInfo, DefaultSecurityInfo) != 0) {
fprintf(stderr, "*** WARNING ***\n");
fprintf(stderr, "This is not the default BFE security descrptor.\n");
fprintf(stderr, "Would you like me to restore the default? y/n ");
fflush(stderr);
if (_getch() == 'y') {
PSECURITY_DESCRIPTOR AbsSecurityDescriptor;
PSECURITY_DESCRIPTOR RelSecurityDescriptor;
PACL pDacl, pSacl;
PSID pOwner, pGroup;
DWORD DaclSize, SaclSize;
DWORD OwnerSize, GroupSize;
DWORD AbsSecurityDescriptorSize;
PSID DefaultSid;
fputc('\n', stderr);
if (ConvertStringSecurityDescriptorToSecurityDescriptorA(DefaultSecurityInfo,
SDDL_REVISION_1,
&RelSecurityDescriptor,
NULL) == FALSE) {
fprintf(stderr, "Sorry, failed to convert descritpor\n");
fprintf(stderr, "No changes were made.\n");
return 1;
}
// Now we have to make it an absolute descriptor so that we can get
// the component pointers.
MakeAbsoluteSD(RelSecurityDescriptor,
NULL,
&AbsSecurityDescriptorSize,
NULL,
&DaclSize,
NULL,
&SaclSize,
NULL,
&OwnerSize,
NULL,
&GroupSize);
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
fprintf(stderr, "Unexpected Result from MakeAbsoluteSD()\n");
return 1;
}
// Allocate the requested sizes.
AbsSecurityDescriptor = _malloca(AbsSecurityDescriptorSize);
pDacl = _malloca(DaclSize);
pSacl = _malloca(SaclSize);
pOwner = _malloca(OwnerSize);
pGroup = _malloca(GroupSize);
if (!MakeAbsoluteSD(RelSecurityDescriptor,
AbsSecurityDescriptor,
&AbsSecurityDescriptorSize,
pDacl,
&DaclSize,
pSacl,
&SaclSize,
pOwner,
&OwnerSize,
pGroup,
&GroupSize)) {
fprintf(stderr, "MakeAbsoluteSD failed to parse descriptor\n");
return 1;
}
DWORD Result;
Result = FwpmEngineSetSecurityInfo0(EngineHandle,
GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION,
pOwner,
pGroup,
pDacl,
pSacl);
if (Result != ERROR_SUCCESS) {
fprintf(stderr, "Sorry, failed to reset security descriptor, %#x\n", Result);
return 1;
}
// No need to free the absolute descriptor, it's on the stack.
LocalFree(RelSecurityDescriptor);
}
} else {
fprintf(stderr, "OK, that's the default ACL\n");
}
fputc('\n', stderr);
LocalFree(CurrentSecurityInfo);
FwpmFreeMemory0(&EngineOwner);
FwpmEngineClose0(EngineHandle);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment