Skip to content

Commit e1495e2

Browse files
antonioCocoantonioCoco
committed
improved detection of limited user logon
1 parent 7b54bb5 commit e1495e2

File tree

1 file changed

+6
-19
lines changed

1 file changed

+6
-19
lines changed

RunasCs.cs

Lines changed: 6 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -433,9 +433,6 @@ private bool IsLimitedUserLogon(IntPtr hToken, string username, string domainNam
433433
IntPtr hTokenNetwork = IntPtr.Zero;
434434
IntPtr hTokenBatch = IntPtr.Zero;
435435
IntPtr hTokenService = IntPtr.Zero;
436-
bool resultNetworkLogon = false;
437-
bool resultBatchLogon = false;
438-
bool resultServiceLogon = false;
439436
logonTypeNotFiltered = 0;
440437
isTokenUACFiltered = AccessToken.IsFilteredUACToken(hToken);
441438
if (isTokenUACFiltered)
@@ -447,28 +444,25 @@ private bool IsLimitedUserLogon(IntPtr hToken, string username, string domainNam
447444
// Check differences between the requested logon type and non-filtered logon types (Network, Batch, Service)
448445
// If IL mismatch, the user has potentially more privileges than the requested logon
449446
AccessToken.IntegrityLevel userTokenIL = AccessToken.GetTokenIntegrityLevel(hToken);
450-
resultNetworkLogon = LogonUser(username, domainName, password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, ref hTokenNetwork);
451-
resultBatchLogon = LogonUser(username, domainName, password, LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, ref hTokenBatch);
452-
resultServiceLogon = LogonUser(username, domainName, password, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, ref hTokenService);
453-
if (resultNetworkLogon && userTokenIL < AccessToken.GetTokenIntegrityLevel(hTokenNetwork))
447+
if (LogonUser(username, domainName, password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, ref hTokenNetwork) && userTokenIL < AccessToken.GetTokenIntegrityLevel(hTokenNetwork))
454448
{
455449
isLimitedUserLogon = true;
456450
logonTypeNotFiltered = LOGON32_LOGON_NETWORK_CLEARTEXT;
457451
}
458-
else if (resultServiceLogon && !isLimitedUserLogon && userTokenIL < AccessToken.GetTokenIntegrityLevel(hTokenService))
452+
else if (!isLimitedUserLogon && LogonUser(username, domainName, password, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, ref hTokenService) && userTokenIL < AccessToken.GetTokenIntegrityLevel(hTokenService))
459453
{
460454
// we check Service logon because by default it has the SeImpersonate privilege, available only in High IL
461455
isLimitedUserLogon = true;
462456
logonTypeNotFiltered = LOGON32_LOGON_SERVICE;
463457
}
464-
else if (resultBatchLogon && !isLimitedUserLogon && userTokenIL < AccessToken.GetTokenIntegrityLevel(hTokenBatch))
458+
else if (!isLimitedUserLogon && LogonUser(username, domainName, password, LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, ref hTokenBatch) && userTokenIL < AccessToken.GetTokenIntegrityLevel(hTokenBatch))
465459
{
466460
isLimitedUserLogon = true;
467461
logonTypeNotFiltered = LOGON32_LOGON_BATCH;
468462
}
469-
if (resultNetworkLogon) CloseHandle(hTokenNetwork);
470-
if (resultBatchLogon) CloseHandle(hTokenBatch);
471-
if (resultServiceLogon) CloseHandle(hTokenService);
463+
if (hTokenNetwork != IntPtr.Zero) CloseHandle(hTokenNetwork);
464+
if (hTokenBatch != IntPtr.Zero) CloseHandle(hTokenBatch);
465+
if (hTokenService != IntPtr.Zero) CloseHandle(hTokenService);
472466
}
473467
return isLimitedUserLogon;
474468
}
@@ -1284,13 +1278,6 @@ public static class AccessToken{
12841278
private const int SECURITY_MANDATORY_PROTECTED_PROCESS_RID = 0x5000;
12851279
private const uint SE_PRIVILEGE_ENABLED = 0x00000002;
12861280
private static readonly byte[] MANDATORY_LABEL_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 16 };
1287-
private const int LOGON32_PROVIDER_DEFAULT = 0;
1288-
private const int LOGON32_LOGON_INTERACTIVE = 2;
1289-
private const int LOGON32_LOGON_NETWORK = 3;
1290-
private const int LOGON32_LOGON_BATCH = 4;
1291-
private const int LOGON32_LOGON_SERVICE = 5;
1292-
private const int LOGON32_LOGON_UNLOCK = 7;
1293-
private const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
12941281

12951282
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
12961283
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;

0 commit comments

Comments
 (0)