All geek questions in one place

Access named pipe servers from IE EPM BHO

I am trying to make some changes to our legacy product to support IE EPM in BHO. I managed to load it, and various methods are called - SetSite, DocumentComplete, etc.

It seems like I'm trying to connect to a server called pipe running inside a windows service.

We have already made changes to allow IE BHO to access the named pipe server in protected mode - using LOW_INTEGRITY_SDDL_SACL ("S: (ML ;; NW ;;; LW)"). Inside the code, we used the creation of a security descriptor using the ConvertStringSecurityDescriptorToSecurityDescriptor method, and then executed SetSecurityDescriptorSacl on the actual SD object or SECURITY_ATTRIBUTES. This allowed the BHO code to access named pipe servers hosted in the SYSTEM service.

I mentioned several articles and probably the most useful of them: Is there a way to create a named pipe from AppHontainer BHO in IE11?

I made some changes to the SDDL, so now it looks like

#define EPM_INTEGRITY_SDDL L"S:(ML;;NW;;;LW)D:(A;;FA;;;SY)(A;;FA;;;WD)(A;;FA;;;AC)"

Basically it gives full access to files for everyone, ALL APPLICATION PARAMETERS and SYSTEMS in the DACL part. I know this is too permissive, but I expected this should at least work when I used SetSecurityDescriptorDacl :-)

In any case, the code that installs SD now looks like this. Did I miss something?

 if (!ConvertStringSecurityDescriptorToSecurityDescriptor(EPM_INTEGRITY_SDDL, SDDL_REVISION_1, &pLISD, NULL)) { OutputDebugString(L"Unable to get the app-container integrity security descriptor"); return false; } PACL pAcl = 0; BOOL bAclPresent = FALSE; BOOL bAclDefaulted = FALSE; if (!GetSecurityDescriptorSacl(pLISD, &bAclPresent, &pAcl, &bAclDefaulted) || !bAclPresent) { return false; } if (!SetSecurityDescriptorSacl(pSecurityDesc, TRUE, pAcl, FALSE)) { return false; } pAcl = 0; bAclPresent = FALSE; bAclDefaulted = FALSE; if (!GetSecurityDescriptorDacl(pLISD, &bAclPresent, &pAcl, &bAclDefaulted) || !bAclPresent) { OutputDebugString(L"Setting to low integrity : No DACL Available"); return false; } if (!SetSecurityDescriptorDacl(pSecurityDesc, TRUE, pAcl, FALSE)) { OutputDebugString(L"Setting to low integrity : Unable to set the DACL"); return false; }
+1
source share
1 answer

I did some research and managed to figure out an approach that works.

First, it seems that the BHO inside the AppContainer cannot access named pipes, etc., created in a different Windows session. Since I created my named pipe in a Windows service, it doesn't matter which security descriptor I specify. This will not work.

Second, use the intermediary intermediary process to create a named pipe with the same SD attempt, and it will be available. So, the approach I took was to create a proxy for my BHO, which forwards these messages to the Windows service. So, my "server" logic did not need to move around.

I am not enthusiastic about the approach, but it is not so bad, because I can reuse this code for JS extensions too without completely rewriting the main code.

Thirdly, I needed to somehow call back to BHO to ask him to take some action based on external incentives. I managed to do this by creating the HWND_MESSAGE window in SetSite BHO and invoking it using SendMessage from the Broker process. Since this is a cross process, you will need to use WM_COPYDATA.

+1
source

Source: https://habr.com/ru/post/954510/

More articles:


All Articles