Merged PR 11070030: Add a nonce to the commandline to discourage ALPC…

… spoofing As per MSRC 88719. Fixes MSFT-51792331
microsoft · Jul 11, 2024 · 15dd7a0 · 15dd7a0
1 parent 937706d
commit 15dd7a0
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 11 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/sudo/Cargo.toml b/sudo/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "sudo"
-version = "1.0.0"
+version = "1.0.1"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

diff --git a/sudo/src/elevate_handler.rs b/sudo/src/elevate_handler.rs
@@ -153,13 +153,14 @@ pub fn handle_elevation_request(request: &ElevateRequest) -> Result<Owned<HANDLE
 /// Starts the RPC server and blocks until Shutdown() is called.
 pub fn start_rpc_server(
     parent_pid: u32,
+    nonce: u32,
     _caller_sid: Option<&String>,
     _args: &[&String],
 ) -> Result<i32> {
     // TODO:48520593 In rust_handle_elevation_request, validate that the parent
     // process handle is the same one that we opened here.
 
-    let endpoint = generate_rpc_endpoint_name(parent_pid);
+    let endpoint = generate_rpc_endpoint_name(parent_pid, nonce);
     let endpoint = CString::new(endpoint).unwrap();
     rpc_server_setup(&endpoint, parent_pid)?;
 

diff --git a/sudo/src/helpers.rs b/sudo/src/helpers.rs
@@ -109,8 +109,8 @@ pub unsafe extern "system" fn ignore_ctrl_c(ctrl_type: u32) -> BOOL {
     }
 }
 
-pub fn generate_rpc_endpoint_name(pid: u32) -> String {
-    format!(r"sudo_elevate_{pid}")
+pub fn generate_rpc_endpoint_name(pid: u32, nonce: u32) -> String {
+    format!(r"sudo_elevate_{pid}_{nonce}")
 }
 
 pub fn is_running_elevated() -> Result<bool> {

diff --git a/sudo/src/main.rs b/sudo/src/main.rs
@@ -74,6 +74,8 @@ fn sudo_cli(allowed_mode: i32) -> Command {
                         .help(r::IDS_ELEVATE_PARENT.get())
                         .required(true),
                 )
+                // .arg(arg!(-n <NONCE>).required(true))
+                .arg(Arg::new("NONCE").short('n').required(true))
                 // .arg(arg!([COMMANDLINE] ... "")),
                 .arg(
                     Arg::new("COMMANDLINE")
@@ -379,6 +381,7 @@ fn do_elevate(matches: &ArgMatches) -> Result<i32> {
     _ = check_enabled_or_bail();
 
     let parent_pid = matches.get_one::<String>("PARENT").unwrap().parse::<u32>();
+    let nonce = matches.get_one::<String>("NONCE").unwrap().parse::<u32>();
 
     if let Err(e) = &parent_pid {
         eprintln!("{} {}", r::IDS_UNKNOWNERROR.get(), e);
@@ -394,7 +397,12 @@ fn do_elevate(matches: &ArgMatches) -> Result<i32> {
         .flatten()
         .collect::<Vec<_>>();
 
-    let result = start_rpc_server(parent_pid.ok().unwrap(), None, &commandline);
+    let result = start_rpc_server(
+        parent_pid.ok().unwrap(),
+        nonce.ok().unwrap(),
+        None,
+        &commandline,
+    );
     trace_log_message(&format!("elevate result: {result:?}"));
     result
 }

diff --git a/sudo/src/run_handler.rs b/sudo/src/run_handler.rs
@@ -343,18 +343,41 @@ fn do_request(req: ElevateRequest, copy_env: bool, manually_requested_dir: bool)
     }
 }
 
+/// Generates a random nonce to include in the RPC endpoint name. We're using
+/// `RtlGenRandom` to generate the number. This is how the core language does it:
+/// https://github.com/rust-lang/rust/pull/45370
+fn random_nonce() -> u32 {
+    #[link(name = "advapi32")]
+    extern "system" {
+        // This function's real name is `RtlGenRandom`.
+        fn SystemFunction036(RandomBuffer: *mut u8, RandomBufferLength: u32) -> BOOLEAN;
+    }
+
+    let mut nonce = 0u32;
+    unsafe {
+        SystemFunction036(
+            (&mut nonce as *mut u32) as *mut u8,
+            std::mem::size_of::<u32>() as _,
+        );
+    }
+    nonce
+}
+
 fn handoff_to_elevated(req: &ElevateRequest) -> Result<i32> {
     // Build a single string from the request's application and args
     let parent_pid = std::process::id();
 
+    // generate a pseudorandom nonce to include
+    let nonce = random_nonce();
+
     tracing::trace_log_message(&format!(
         "running as user: '{}'",
         get_current_user().as_ref().unwrap_or(h!("unknown"))
     ));
 
     let path = env::current_exe().unwrap();
     let target_args = format!(
-        "elevate -p {parent_pid} {} {}",
+        "elevate -p {parent_pid} -n {nonce} {} {}",
         req.application,
         join_args(&req.args)
     );
@@ -369,7 +392,7 @@ fn handoff_to_elevated(req: &ElevateRequest) -> Result<i32> {
         _ = SetConsoleCtrlHandler(Some(ignore_ctrl_c), true);
     }
 
-    send_request_via_rpc(req)
+    send_request_via_rpc(req, nonce)
 }
 
 /// Connects to the elevated sudo instance via RPC, then makes a couple RPC
@@ -386,8 +409,8 @@ fn handoff_to_elevated(req: &ElevateRequest) -> Result<i32> {
 ///   process exited with an error.
 ///   - Specifically be on the lookout for 1764 here, which is
 ///     RPC_S_CANNOT_SUPPORT
-fn send_request_via_rpc(req: &ElevateRequest) -> Result<i32> {
-    let endpoint = generate_rpc_endpoint_name(unsafe { GetCurrentProcessId() });
+fn send_request_via_rpc(req: &ElevateRequest, nonce: u32) -> Result<i32> {
+    let endpoint = generate_rpc_endpoint_name(unsafe { GetCurrentProcessId() }, nonce);
     let endpoint = CString::new(endpoint).unwrap();
 
     // Attempt to connect to our RPC server, with a backoff. This will try 10

diff --git a/sudo/src/tests/mod.rs b/sudo/src/tests/mod.rs
@@ -21,6 +21,9 @@ mod tests {
 
     #[test]
     fn test_generate_rpc_endpoint_name() {
-        assert_eq!(generate_rpc_endpoint_name(1234), r"sudo_elevate_1234");
+        assert_eq!(
+            generate_rpc_endpoint_name(1234, 2345),
+            r"sudo_elevate_1234_2345"
+        );
     }
 }