1

I am running a program with SYSTEM privleges. I ask for the usename and password for a handle from LogonUser(szUserName, NULL, szPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken) for a local logon. I want to run the cmd.exe program as the user credentials provided from the logon. The logon is successful, but when I try to run the process, nothing happens. The program aborts. My code is...

// cmd.cpp : Defines the entry point for the console application.
//

#include <Windows.h>
#include <Lmcons.h>
#include <iostream>
#include <ctype.h>
#include <string>
#include <stdio.h>

#define winstring LPWSTR
#define stcas(x) static_cast<x>
#define INFO_BUFFER_SIZE    260 

using namespace std;

void ReportError(LPCWSTR pszFunction, DWORD dwError = GetLastError()) 
{ 
    wprintf(L"%s failed w/err 0x%08lx\n", pszFunction, dwError); 
} 

int main()
{
    TCHAR un[UNLEN+1];
    DWORD size = UNLEN + 1;
    GetUserName(un, &size);

    string una(un);

    bool sys = !una.compare("SYSTEM");

    if(!sys) {
        system("cls");
        system("title Command Prompt");
        system("cmd");
        return 0;
    }


    char szUserName[INFO_BUFFER_SIZE] = {}; 
    char szPassword[INFO_BUFFER_SIZE] = {}; 
    char *pc = NULL; 
    HANDLE hToken = NULL; 
    BOOL fSucceeded = FALSE; 
    BOOL logon = FALSE;


    printf("Enter the username: "); 
    fgets(szUserName, ARRAYSIZE(szUserName), stdin); 
    pc = strchr(szUserName, '\n'); 
    if (pc != NULL) *pc = '\0';  // Remove the trailing L'\n' 

    cout << endl;
    //string un(szUserName);

    printf("Enter the password: "); 
    fgets(szPassword, ARRAYSIZE(szPassword), stdin); 
    pc = strchr(szPassword, '\n'); 
    if (pc != NULL) *pc = '\0';  // Remove the trailing L'\n'



    if (!LogonUser(szUserName, NULL, szPassword,  LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) 
    {
        ReportError(L"Logon");
        goto Cleanup; 
    } 
    else logon = true;

    // Impersonate the logged on user. 
    if (!ImpersonateLoggedOnUser(hToken)) 
    { 

        ReportError(L"imp");
        goto Cleanup; 
    } 
    fSucceeded = true;

    Cleanup: 

    // Clean up the buffer containing sensitive password. 
    SecureZeroMemory(szPassword, sizeof(szPassword)); 

    LPTSTR szCmdline[] = {"C:\\windows\\system32\\cmd.exe"};
    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    TCHAR uni[UNLEN+1];
    DWORD sizei = UNLEN + 1;
    GetUserName(uni, &sizei);

    string unai(uni);
    cout << unai << endl;

    memset(&si, 0, sizeof(si));
    si.cb = sizeof(si);

    HANDLE phToken = NULL;

    BOOL dup = FALSE;

    if(!DuplicateTokenEx(hToken, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL, SecurityImpersonation, TokenImpersonation, &phToken)){
        ReportError(L"DUPLICATE TOKEN");
    }

    else dup = TRUE;

    system("pause");

    // If the impersonation was successful, undo the impersonation. 
    if (fSucceeded && logon && dup) 
    { 
        system("cls");
        system("title Command Prompt");
        //system("cmd");

        if(!CreateProcessAsUser(
        phToken,            // client's access token
        NULL,              // file to execute
        *szCmdline,     // command line
        NULL,              // pointer to process SECURITY_ATTRIBUTES
        NULL,              // pointer to thread SECURITY_ATTRIBUTES
        FALSE,             // handles are not inheritable
        NORMAL_PRIORITY_CLASS,   // creation flags
        NULL,              // pointer to new environment block 
        NULL,              // name of current directory 
        &si,               // pointer to STARTUPINFO structure
        &pi                // receives information about new process
        )){
            ReportError(L"Create Process");
        }
        if (!RevertToSelf()) 
        {  
            ReportError(L"Undo Imp");
        } 

    }
    system("pause");
}

I really would like the nonelevated proccess to avoid security issues.

Please don't tell me that my typed password is shown. I know that and will fix that later.

nimsson
  • 930
  • 1
  • 14
  • 27
  • The arguments to `DuplicateTokenEx` are wrong. You need to create a primary token, not an impersonation token, and you need at least TOKEN_QUERY, TOKEN_DUPLICATE, and TOKEN_ASSIGN_PRIMARY access rights; I recommend using GENERIC_ALL. However, in this case, you don't need to duplicate the token at all. Just pass the token returned from LogonUser directly to CreateProcessAsUser. – Harry Johnston Mar 23 '14 at 22:02
  • @HarryJohnston, I have decided to use the CreateProcessWithLogonW function. – nimsson Mar 24 '14 at 21:44

2 Answers2

1

You're not initializing si. You need to do this before calling CreateProcessAsUser:

memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
Carey Gregory
  • 6,836
  • 2
  • 26
  • 47
  • 1
    now I get 0x00000552... ERROR_NOT_LOGON_PROCESS... The requested action is restricted for use by logon processes only. The calling process has not registered as a logon process. – nimsson Mar 22 '14 at 20:36
  • Your process needs the `TOKEN_DUPLICATE` and `TOKEN_IMPERSONATE` access rights to call [CreateProcessAsUser](http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429%28v=vs.85%29.aspx). – Carey Gregory Mar 22 '14 at 20:38
  • How do I do that? I am running as `NT AUTHORITY/SYSTEM` – nimsson Mar 22 '14 at 20:39
  • I believe `DuplicateTokenEx` will solve your problem. Take a look at [this question](http://stackoverflow.com/questions/4818183/multilevel-usage-of-thread-impersonation) – Carey Gregory Mar 22 '14 at 20:56
  • Now that I've added `DuplicateTokenEx`, I get error `0x00000005 ACCESS DENIED` take a look at my updated code, please. – nimsson Mar 23 '14 at 18:33
1

Try using the CreateProcessWithLogonUser Function. This should do that all for you with no errors.

user3453395
  • 26
  • 2
  • 1
    That voids all the current errors, but I am getting an application startup error. – nimsson Mar 23 '14 at 22:03
  • The application startup issue has already been asked about here: http://stackoverflow.com/questions/20256665/process-started-from-service-with-createprocesswithlogonw-terminates-right-away – Harry Johnston Mar 25 '14 at 00:45