[Bug 36327] Dameware Mini Remote Control 10.x licensing tool (.NET 2.0 app ) fails during post-install step ( SE_SECURITY_NAME privilege of calling thread access token not respected when retrieving SACL via GetSecurityInfo )

https://bugs.winehq.org/show_bug.cgi?id=36327

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Component|advapi32 |wineserver Summary|Dameware Mini Remote |Dameware Mini Remote |Control 10.x licensing tool |Control 10.x licensing tool |fails during post-install |(.NET 2.0 app) fails during |step |post-install step | |(SE_SECURITY_NAME privilege | |of calling thread access | |token not respected when | |retrieving SACL via | |GetSecurityInfo) URL|http://downloads.solarwinds |https://web.archive.org/web |.com/solarwinds/Release/Dam |/20190317110303/https://dow |eWare/v10/DameWare-MRC32-Ev |nloads.solarwinds.com/solar |al-v10.0.0.exe |winds/Release/DameWare/v10/ | |DameWare-MRC32-Eval-v10.0.0 | |.exe

--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,

revisiting, still present.

Adding stable download from Internet archive:

https://web.archive.org/web/20190317110303/https://downloads.solarwinds.com/...

The installer currently suffers from a regression -> bug 46833 Working around that it yields the same problem as years ago.

--- snip --- $ pwd /home/focht/.wine/drive_c/ProgramData/SolarWinds/DameWare Development/MrcEXEs

$ WINEDEBUG=+seh,+relay,+msi,+server wine ./DWMRC10x_32.exe >>log.txt 2>&1 ... 004a:trace:msi:HANDLE_CustomType34 cmd L""C:\Program Files\SolarWinds\DameWare Mini Remote Control 10.0\SolarWinds.MRC.Licensor.exe"" dir L"C:\Program Files\SolarWinds\DameWare Mini Remote Control 10.0\" 004a:Call KERNEL32.CreateProcessW(00000000,008bcd48 L""C:\Program Files\SolarWinds\DameWare Mini Remote Control 10.0\SolarWinds.MRC.Licensor.exe"",00000000,00000000,00000000,00000000,00000000,008b40e0 L"C:\Program Files\SolarWinds\DameWare Mini Remote Control 10.0\",0032e9ac,0032e99c) ret=7badcd44 ... 0060:Call advapi32.RegOpenKeyExW(000001fc,00919ff8 L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}",00000000,0002001f,0032f0ac) ret=0036bd4b 0060: open_key( parent=01fc, access=0002001f, attributes=00000000, name=L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}" ) 0060: open_key() = OBJECT_NAME_NOT_FOUND { hkey=0000 } 0060:Ret advapi32.RegOpenKeyExW() retval=00000002 ret=0036bd4b ... 0060:Call advapi32.RegCreateKeyExW(000001fc,00919ff8 L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}",00000000,00000000,00000000,0002001f,00000000,0032f0b8,0032f148) ret=0036be6f 0060: create_key( access=0002001f, options=00000000, objattr={rootdir=01fc,attributes=00000000,sd={},name=L"{15119A76-31E3-4C58-AD65-5BCCF704B5C5}"}, class=L"" ) 0060: create_key() = 0 { hkey=0200, created=1 } 0060:Ret advapi32.RegCreateKeyExW() retval=00000000 ret=0036be6f ... 0060:Call advapi32.OpenProcessToken(ffffffff,00000002,0032ef24) ret=0036a592 0060: open_token( handle=ffffffff, access=00000002, attributes=00000000, flags=00000000 ) 0060: open_token() = 0 { token=0208 } 0060:Ret advapi32.OpenProcessToken() retval=00000001 ret=0036a592 0060:Call KERNEL32.GetLastError() ret=0036a598 0060:Ret KERNEL32.GetLastError() retval=00000000 ret=0036a598 ... 0060:Call advapi32.OpenThreadToken(fffffffe,00000028,00000001,0032ef4c) ret=79f30451 0060: open_token( handle=fffffffe, access=00000028, attributes=00000000, flags=00000003 ) 0060: open_token() = NO_TOKEN { token=0000 } 0060:Ret advapi32.OpenThreadToken() retval=00000000 ret=79f30451 0060:Call KERNEL32.GetLastError() ret=79f061ff 0060:Ret KERNEL32.GetLastError() retval=000003f0 ret=79f061ff ... 0060:Call advapi32.DuplicateTokenEx(00000208,0000002c,00000000,00000002,00000002,0032ef14) ret=0408019e 0060: duplicate_token( handle=0208, access=0000002c, primary=0, impersonation_level=2, objattr={rootdir=0000,attributes=00000000,sd={},name=L""} ) 0060: duplicate_token() = 0 { new_handle=020c } 0060:Ret advapi32.DuplicateTokenEx() retval=00000001 ret=0408019e 0060:Call KERNEL32.GetLastError() ret=040801a4 0060:Ret KERNEL32.GetLastError() retval=000003f0 ret=040801a4 ... 0060:Call advapi32.SetThreadToken(00000000,0000020c) ret=7a02c163 0060: set_thread_info( handle=fffffffe, mask=4, priority=0, affinity=00000000, entry_point=00000000, token=020c ) 0060: set_thread_info() = 0 0060:Ret advapi32.SetThreadToken() retval=00000001 ret=7a02c163 ... 0060:Call advapi32.AdjustTokenPrivileges(0000020c,00000000,0032efe4,00000010,0032efd4,0032efd0) ret=0036b972 0060: adjust_token_privileges( handle=020c, disable_all=0, get_modified_state=1, privileges={{luid=0000000000000008,attr=2}} ) 0060: adjust_token_privileges() = 0 { len=0000000c, privileges={{luid=0000000000000008,attr=0}} } 0060:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=0036b972 0060:Call KERNEL32.GetLastError() ret=0036b978 0060:Ret KERNEL32.GetLastError() retval=00000000 ret=0036b978 ... 0060:Call advapi32.GetSecurityInfo(00000200,00000004,0000000f,0032f04c,0032f048,0032f044,0032f040,0032f03c) ret=0036ba68 0060: get_security_object( handle=0200, security_info=0000000f ) 0060: get_security_object() = ACCESS_DENIED { sd_len=00000000, sd={} } 0060:Ret advapi32.GetSecurityInfo() retval=00000005 ret=0036ba68 0060:Call KERNEL32.GetLastError() ret=0036ba6e 0060:Ret KERNEL32.GetLastError() retval=00000000 ret=0036ba6e ... 0060:Call KERNEL32.RaiseException(e0434f4d,00000001,00000001,0032ef38) ret=79f97065 0060:trace:seh:raise_exception code=e0434f4d flags=1 addr=0x7b44c03b ip=7b44c03b tid=0060 0060:trace:seh:raise_exception info[0]=80070005 0060:trace:seh:raise_exception eax=7b43a48d ebx=0015d9c8 ecx=00000000 edx=0032ef18 esi=0032ef18 edi=0032eee0 0060:trace:seh:raise_exception ebp=0032eeb8 esp=0032ee54 cs=320023 ds=32002b es=f7c6002b fs=f7c60063 gs=f7c6006b flags=00200212 0060:trace:seh:call_stack_handlers calling handler at 0x79f9a3c8 code=e0434f4d flags=1 0060:Call msvcr80._except_handler4_common(7a381240,79e717fb,0032ee60,0032ef50,0032eb7c,0032ea4c) ret=79f9a3e7 ... System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd) at System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext) at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext) at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections) at Microsoft.Win32.RegistryKey.GetAccessControl(AccessControlSections includeSections) at SolarWinds.Licensing.Framework.RegistryUtil.SetRegistryRights(RegistryKey swKey, AccessControlSections section) at SolarWinds.Licensing.Framework.RegistryUtil.SetRegistryRights(RegistryKey swKey) at SolarWinds.Licensing.Framework.RegistryUtil.GetRegistryKey(Boolean writable) at SolarWinds.Licensing.Framework.RegistryUtil.GetDefaultSymmetricAlgorithm() at SolarWinds.Licensing.Framework.Store.LicenseStoreDAL.GetSymmetricAlgorithm(String& defaultAlgo) at SolarWinds.Licensing.Framework.Store.LicenseStoreDAL.InitializeStore() at SolarWinds.Licensing.Framework.Store.LicenseStoreDAL..ctor() at SolarWinds.Licensing.Framework.Store.SingletonLicenseStoreFactory.get_StoreInstance() at SolarWinds.Licensing.Framework.LicenseManager..ctor(ILicenseStore store, IOnlineLicenseManager onlineManager) at SolarWinds.Licensing.Framework.LicenseManager.GetInstance() at SolarWinds.MRC.Licensor.Program.RunLicensingWindow(Boolean silentInstallation, Dictionary`2 activationArguments, Boolean forceOnlineCheck) at SolarWinds.MRC.Licensor.Program.Main(String[] args) ... 0060:trace:seh:start_debugger Starting debugger "winedbg --auto 95 528" --- snip ---

Microsoft Core CLR:

https://github.com/dotnet/corefx/blob/master/src/System.Security.AccessContr...

https://github.com/dotnet/corefx/blob/a10890f4ffe0fadf090c922578ba0e606ebdd1...

App managed code:

--- snip --- ... public static bool SetRegistryRights(RegistryKey swKey) { if (!Utility.IsAnAdministrator()) return false; try { RegistryUtil.SetRegistryRights(swKey, AccessControlSections.All); } catch (PrivilegeNotHeldException ex) { Logger.Log.Info((object) "Caught expected PrivilegeNotHeldException:", (Exception) ex); Logger.Log.Info((object) "Attempting to set privs with reduced control sections."); RegistryUtil.SetRegistryRights(swKey, AccessControlSections.Access); } return true; } ... private static void SetRegistryRights(RegistryKey swKey, AccessControlSections section) { AuthorizationRuleCollection accessRules = swKey.GetAccessControl(section).GetAccessRules(true, false, typeof (SecurityIdentifier)); RegistrySecurity registrySecurity = new RegistrySecurity(); foreach (AuthorizationRule authorizationRule in (ReadOnlyCollectionBase) accessRules) registrySecurity.AddAccessRule((RegistryAccessRule) authorizationRule); RegistryAccessRule rule = new RegistryAccessRule((IdentityReference) new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, (SecurityIdentifier) null), RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); registrySecurity.AddAccessRule(rule); swKey.SetAccessControl(registrySecurity); } --- snip ---

Microsoft docs:

https://docs.microsoft.com/en-us/windows/desktop/secauthz/sacl-access-right

--- quote --- SACL Access Right

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.

To access an object's SACL

1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege. 2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object. 3. Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo. 4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.

To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo functions, enable the SE_SECURITY_NAME privilege. The function internally requests the access right.

The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right. --- quote ---

Apparently wineserver doesn't honour SE_SECURITY_NAME privilege from calling thread's access token when checking the access rights on the registry key. It just compares the registry key access rights from the creation of the key (0x2001f) with the get_security_object SACL_SECURITY_INFORMATION implied one (0x1020000 -> READ_CONTROL | ACCESS_SYSTEM_SECURITY) which obviously fails.

$ sha1sum DameWare-MRC32-Eval-v10.0.0.exe 5181070b3c13720a14072dc50c1aa1f4b82b7e3a DameWare-MRC32-Eval-v10.0.0.exe

$ du -sh DameWare-MRC32-Eval-v10.0.0.exe 58M DameWare-MRC32-Eval-v10.0.0.exe

$ wine --version wine-4.4

Regards