RE: Device driver object security settings to enable non-priv'd user access

NTDEV
1

Hi All

Yes we had the same problem, but found that with XP’s “enhanced security
options”, using the DDK example for XP is seems to set the correct access
rights. Also you can manipulate the security settings from security gui…
This seems to work fine… so you don’t need sysinternal’s code
just check the O/S version and remove the code for XP… It worked for us.

Steve

xxxxx@bemac.com

----- Original Message -----
From: “Michal Vodicka”
To: “NT Developers Interest List”
Sent: Monday, March 03, 2003 10:52 PM
Subject: [ntdev] RE: Device driver object security settings to enable
non-priv’d user access

> I guess you’re right. Now how to force others to fix their drivers which
use
> this old good proven method… I’ll try it with vmware.
>
> It seems as partial MS fault. If w2k behave differently (and I’d bet
because
> there was no problem), they should explain this method isn’t safe anymore.
> Yes, it was undocumented but still widely used.
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
> > ----------
> > From: xxxxx@nryan.com[SMTP:xxxxx@nryan.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Monday, March 03, 2003 10:56 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] RE: Device driver object security settings to enable
> > non-priv’d user access
> >
> > I guess it’s time to try to use IoCreateDeviceSecure (described in a
> > recent NT Insider article). I originally shied away from this since the
> > article implied it wasn’t NT4-compatible, but maybe this is incorrect -
> > the function is implemented in a static library, after all.
> >
> > - Nicholas Ryan
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
> > > Sent: Monday, March 03, 2003 1:42 PM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] RE: Device driver object security settings
> > > to enable non-priv’d user access
> > >
> > >
> > > After some snooping I’ve partially figured out what’s going
> > > on. The security descriptor is created and assigned to the
> > > device object deep in undocumented function ObAssignSecurity.
> > > What happens is this function creates the base descriptor
> > > using SeAssignSecurity - which returns memory allocated
> > > simply by ExAllocatePool. Then the undocumented function
> > > _IopGetSetSecurityObject is called to assign the descriptor
> > > to the device object. However, it doesn’t simply point the
> > > device object to this descriptor - instead it uses an
> > > identical descriptor allocated from a private cache of
> > > security descriptors maintained by the Object Manager. (The
> > > original descriptor passed in is just freed). Apparently this
> > > is done for memory savings since objects in this cache are
> > > refcounted to avoid duplication. The additional header you’re
> > > seeing before the memory for the descriptor proper is the
> > > header for objects in this cache.
> > >
> > > This still doesn’t explain why the header is being touched
> > > while the device object is in use. However, I’m not sure your
> > > method of modifying the descriptor in-place is safe either,
> > > since this is a cached and potentially shared descriptor
> > > (descriptors in the cache are indexed by a hash of the
> > > descriptor’s contents). What a mess.
> > >
> > > - Nicholas Ryan
> > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > > Michal Vodicka
> > > > Sent: Monday, March 03, 2003 11:28 AM
> > > > To: NT Developers Interest List
> > > > Subject: [ntdev] RE: Device driver object security settings
> > > > to enable non-priv’d user access
> > > >
> > > >
> > > > You missed the point. XP seem to expect object header before
> > > > the SD pointed by device object. So if it points to your
> > > > block of memory, OS accesses and writes to random memory
> > > > before your new SD.
> > > >
> > > > What you describe would only cure symptom and shield the
> > > real problem.
> > > >
> > > > Best regards,
> > > >
> > > > Michal Vodicka
> > > > STMicroelectronics Design and Application s.r.o.
> > > > [michal.vodicka@st.com, http:://www.st.com]
> > > >
> > > > > ----------
> > > > > From: xxxxx@nryan.com[SMTP:xxxxx@nryan.com]
> > > > > Reply To: xxxxx@lists.osr.com
> > > > > Sent: Monday, March 03, 2003 8:17 PM
> > > > > To: xxxxx@lists.osr.com
> > > > > Subject: [ntdev] RE: Device driver object security
> > > > settings to enable
> > > > > non-priv’d user access
> > > > >
> > > > > Easiest solution when using the SysInternals approach: save the
> > > > > pointer to the original descriptor, and point the device
> > > object to
> > > > > your new descriptor. When it comes time to delete your
> > > > device object,
> > > > > free your descriptor, then point the device object back to the
> > > > > original descriptor, and then delete the device.
> > > > >
> > > > > - Nicholas Ryan
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: xxxxx@lists.osr.com
> > > > > > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > > > Michal Vodicka
> > > > > > Sent: Monday, March 03, 2003 10:35 AM
> > > > > > To: NT Developers Interest List
> > > > > > Subject: [ntdev] RE: Device driver object security settings
> > > > > > to enable non-priv’d user access
> > > > > >
> > > > > >
> > > > > > It seems there is a problem with this approach at XP.
> > > Last week I
> > > > > > encountered something similar with VMware parallel driver which
> > > > > > access caused random data overwrite. It seemed as the problem
> > > > > > caused my driver I’m working on so I investigated the
> > > problem and
> > > > > > found OS tried to access data before security descriptor for
> > > > > > this driver device. The descriptor was created the way you
> > > > > > describe; they create new one and change
> > > > > > DeviceObject->SecurityDescriptor to its address. They don’t
> > > > > > free the old
> > > > > > DeviceObject->one
> > > > > > and I presume it is because it caused the same problem as
> > > > you have.
> > > > > >
> > > > > > I guess device security descriptor at XP are objects and OS
> > > > > > expects object header prepended to memory pointed with
> > > > > > DeviceObject->SecurityDescriptor. It would explain why
> > > > > > ExFreePool fails: the real allocation starts several
> > > bytes before.
> > > > > > Please note I only guess; I’d appreciate if somebody
> > > can confirm
> > > > > > or disprove this observation or give any more info
> > > about XP device
> > > > > > SDs.
> > > > > >
> > > > > > Also please note above described approach (ignore problem and
> > > > > > don’t free original descriptor) is plain wrong and can
> > > cause BSODs
> > > > > > or worse, random data overwrite. You can try different
> > > > > > approach: change original SD contents instead. It is usable
> > > > > > way if all you need is to change an ACE mask. I used it at
> > > > > > w2k with no problem.
> > > > > >
> > > > > > Best regards,
> > > > > >
> > > > > > Michal Vodicka
> > > > > > STMicroelectronics Design and Application s.r.o.
> > > > > > [michal.vodicka@st.com, http:://www.st.com]
> > > > > >
> > > > > > > ----------
> > > > > > > From:
> > > Barry.Kierstein@HP.Com[SMTP:Barry.Kierstein@HP.Com]
> > > > > > > Reply To: xxxxx@lists.osr.com
> > > > > > > Sent: Monday, March 03, 2003 6:42 PM
> > > > > > > To: xxxxx@lists.osr.com
> > > > > > > Subject: [ntdev] RE: Device driver object security
> > > > > > settings to enable
> > > > > > > non-priv’d user access
> > > > > > >
> > > > > > > All,
> > > > > > >
> > > > > > > Thanks for your great suggestions. I have followed the
> > > > > > > SysInternals example in modifying the security
> > > > descriptor in the
> > > > > > > device object. There is one remaining oddity.
> > > > > > >
> > > > > > > Basically, the SysInternals example does the following:
> > > > > > > 1) gets the security descriptor from the device object
> > > > > > > (it is in relative format),
> > > > > > > 2) creates an empty absolute format security descriptor,
> > > > > > > 3) reads the device object security descriptor for various
> > > > > > attributes
> > > > > > > and sets these in the absolute security descriptor,
> > > > > > > 4) converts the absolute security descriptor to relative
> > > > > > format security
> > > > > > > descriptor,
> > > > > > > 5) frees the device object’s security descriptor using
> > > > > > ExFreePool, and
> > > > > > > 6) sets the device object’s security descriptor pointer
> > > > to the new
> > > > > > > relative format security descriptor.
> > > > > > >
> > > > > > > This works fine on Windows 2000. On Windows XP, it
> > > > > > bugchecks when
> > > > > > > trying to execute the ExFreePool call with a stop
> > > code of 0xC2.
> > > > > > >
> > > > > > > BAD_POOL_CALLER (c2)
> > > > > > > The current thread is making a bad pool request.
> > > > Typically this is
> > > > > > > at a bad IRQL level or double freeing the same
> > > allocation, etc.
> > > > > > > Arguments:
> > > > > > > Arg1: 00000007, Attempt to free pool which was already freed
> > > > > > > Arg2: 00000cd4, (reserved)
> > > > > > > Arg3: 00000027, Memory contents of the pool block
> > > > > > > Arg4: e13f5318, Pointer to pool header
> > > > > > >
> > > > > > > Any ideas why this is happening? Thanks…
> > > > > > >
> > > > > > > Barry Kierstein
> > > > > > >
> > > > > > > —
> > > > > > > You are currently subscribed to ntdev as:
> > > > michal.vodicka@st.com To
> > > > > > > unsubscribe send a blank email to
> > > > xxxxx@lists.osr.com
> > > > > > >
> > > > > >
> > > > > >
> > > > > > —
> > > > > > You are currently subscribed to ntdev as: xxxxx@nryan.com To
> > > > > > unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > You are currently subscribed to ntdev as: michal.vodicka@st.com To
> > > > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@nryan.com
> > > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@nryan.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: michal.vodicka@st.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@bemac.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

2

Greetings,

Here is an update of what has happened so far.

  1. I tried the security GUI trick, but it doesn’t seem to make any
    difference. The GUI says that the access I checked in the
    checkboxes is there, but a non-priv’d user still gets an
    “Access is denied.” status. Since this is a network protocol
    driver, are the protections done differently than a driver
    for a physical device? Inheritance from the lower part of the
    stack?
    BTW, the GUI is the object browser from OSR.

  2. Using the .INF file didn’t seem to work either. Non-priv’d users
    still got an “Access is denied” status. This could be an error
    in writing the .INF file. This method was preferred since it was
    simple and would work on Windows 2000 and Windows XP.
    Below is the relevant snippets from my testing:

;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[Install]
AddReg=Inst_Ndi
Characteristics=0x0 ; NCF_xxx
CopyFiles=CpyFiles_Sys

;-------------------------------------------------------------------------
; Ndi installation support
;-------------------------------------------------------------------------
[Inst_Ndi]
HKR,Ndi,Service,“AmNdis50”
HKR,Ndi,HelpText,%AmNdis50_HelpText%
HKR, Ndi\Interfaces, UpperRange, noupper
HKR,“Ndi\Interfaces”,“LowerRange”,“ndis5,ndis4,ndis5_uio”

[Inst_Ndi.security]
“D:(A;;FA;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;FX;;;RC)”

  1. Using the SysInternals method of reading the
    deviceObject->SecurityDescriptor, creating a new one, and then
    replacing the old one (along with freeing the old descriptor)
    didn’t work on Windows XP (a nice blue screen when freeing
    the memory!). The general discussion prior to this reply is
    that the entity pointed to by above pointer is now an object
    that contains the security descriptor.

What did work is to use IoCreateDeviceSecure and use one of the
defined constants for the DACL creation (in wdmsec.h).

Some questions:

Did I do something wrong in the .INF file?

If I didn’t do anything wrong in the .INF file, then what I have
is two drivers, one for W2K and one for XP. The one for W2K will
bugcheck on XP. I thought of runtime conditional code in the
driver to detect what OS is running and act accordingly.
Unfortunately, I can’t have a call to IoCreateDeviceSecure in
a W2K build, so the only thing I could think of was to fail the
startup of the W2K version driver if it finds that the user has
upgraded to XP and is running on XP. The user would then have to
reinstall to put on the XP driver. This is very undesirable,
to say the least. Any thoughts here?

Thanks for the time and effort!

Barry Kierstein

3

YEP!!! We had to have two seperate drivers… wonderfull isn’t it!! NOT!!

We had to create an installer that detected the O/S and install the correct
driver… A real pain!!. If you find the answer to this I would like to know
also!!

Sorry for being a bit vague on the details its been a while since I worked
on it

Steve

----- Original Message -----
From: “Barry Kierstein” <barry.kierstein>
To: “NT Developers Interest List”
Sent: Tuesday, March 11, 2003 2:31 PM
Subject: [ntdev] RE: Device driver object security settings to enable
non-priv’d user access

> Greetings,
>
> Here is an update of what has happened so far.
>
> 1) I tried the security GUI trick, but it doesn’t seem to make any
> difference. The GUI says that the access I checked in the
> checkboxes is there, but a non-priv’d user still gets an
> “Access is denied.” status. Since this is a network protocol
> driver, are the protections done differently than a driver
> for a physical device? Inheritance from the lower part of the
> stack?
> BTW, the GUI is the object browser from OSR.
>
> 2) Using the .INF file didn’t seem to work either. Non-priv’d users
> still got an “Access is denied” status. This could be an error
> in writing the .INF file. This method was preferred since it was
> simple and would work on Windows 2000 and Windows XP.
> Below is the relevant snippets from my testing:
>
> ;-------------------------------------------------------------------------
> ; Installation Section
> ;-------------------------------------------------------------------------
> [Install]
> AddReg=Inst_Ndi
> Characteristics=0x0 ; NCF_xxx
> CopyFiles=CpyFiles_Sys
>
> ;-------------------------------------------------------------------------
> ; Ndi installation support
> ;-------------------------------------------------------------------------
> [Inst_Ndi]
> HKR,Ndi,Service,“AmNdis50”
> HKR,Ndi,HelpText,%AmNdis50_HelpText%
> HKR, Ndi\Interfaces, UpperRange, noupper
> HKR,“Ndi\Interfaces”,“LowerRange”,“ndis5,ndis4,ndis5_uio”
>
> [Inst_Ndi.security]
> “D:(A;;FA;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;FX;;;RC)”
>
>
> 3) Using the SysInternals method of reading the
> deviceObject->SecurityDescriptor, creating a new one, and then
> replacing the old one (along with freeing the old descriptor)
> didn’t work on Windows XP (a nice blue screen when freeing
> the memory!). The general discussion prior to this reply is
> that the entity pointed to by above pointer is now an object
> that contains the security descriptor.
>
> What did work is to use IoCreateDeviceSecure and use one of the
> defined constants for the DACL creation (in wdmsec.h).
>
> Some questions:
>
> Did I do something wrong in the .INF file?
>
> If I didn’t do anything wrong in the .INF file, then what I have
> is two drivers, one for W2K and one for XP. The one for W2K will
> bugcheck on XP. I thought of runtime conditional code in the
> driver to detect what OS is running and act accordingly.
> Unfortunately, I can’t have a call to IoCreateDeviceSecure in
> a W2K build, so the only thing I could think of was to fail the
> startup of the W2K version driver if it finds that the user has
> upgraded to XP and is running on XP. The user would then have to
> reinstall to put on the XP driver. This is very undesirable,
> to say the least. Any thoughts here?
>
>
> Thanks for the time and effort!
>
> Barry Kierstein
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@bemac.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
></barry.kierstein>