Delphi-PRAXiS - Delphi CredIsProtected buffer-overflow?

Delphi-PRAXiS (https://www.delphipraxis.net/forum.php)

- Win32/Win64 API (native code) (https://www.delphipraxis.net/17-win32-win64-api-native-code/)

- - Delphi CredIsProtected buffer-overflow? (https://www.delphipraxis.net/214739-credisprotected-buffer-overflow.html)

CredIsProtected buffer-overflow?

Moin, ich/wir spielen grade etwas mit den Windows Credentials.

Nun wollte ich noch CredProtect, CredUnprotect und CredIsProtected hinzufügen,
aber ... nja, CredIsProtected sollte doch eigentlich nur lesen? Aber es schreibt den Speicher nahezu willkührlich um.

vorab:
* Delphi XE bis D12
* mit oder ohne WinMD (ab D11, siehe GetIt)
* nja, vom WinMD das, was sich halbwegs nutzen lässt (was nicht viel ist und das nur unter qualvollen Mühen)

Im Anhang meine kleine Demo/TestApp.
* einmal auf WriteToCrendentialsStore ODER unten den Filter z.B. auf

Delphi-Quellcode:

ändern
* und dann ReadFromCredentialsStore FindInCredentialsStore

* vorher in WinCrypt.FindInCredentialsStore bzw. WinCrypt.ReadFromCredentialsStore dn Block mit CredIsProtected entkommentieren und Haltepunkt auf CredIsProtected
* danach werden während CredIsProtected die "mindestens" Variablen PCred und manchmal auch Creds verändert
* selbst wenn die Funktion schreibt. hätte ich maximal in PCred.CredentialBlob eine Änderung erwartet
* und nachfolgend knallen dann natürlich alle Zugriffe auf PCred.xxxx

Löschen des eventuell Erstellten wieder über die DemoApp
* DeleteInCredentialsStore
oder im Windows
* OpenCredentialManager
* control.exe /name Microsoft.CredentialManager
* [WIN] Anmeldeinformationsverwalrung
* * rechts, unter Windows-Anmeldeinfos

AW: CredIsProtected buffer-overflow?

Hi,

Yesterday i looked and doubted myself, now i tried again to understand the subject at hand :stupid: , using my ability to decryption of google translation, i am assuming the problem is with overflowing somewhere.
Anhang 56691

Anyway there is two problems, separated that caused this

1) Without defining enum size the to be compatible with Windows API's it will break

Code:

			  {$MINENUMSIZE 4}

  CRED_PROTECTION_TYPE = (CredUnprotected, CredUserProtection, CredTrustedProtection, CredForSystemProtection);

2) The definition of both CredProtect and CredUnProtect is wrong in that demo, and they should looks like this:

Code:

			BOOL CredProtectW(

  [in]      BOOL                 fAsSelf,

  [in]      LPWSTR               pszCredentials,

  [in]      DWORD                cchCredentials,

  [out]     LPWSTR               pszProtectedCredentials,

  [in, out] DWORD                *pcchMaxChars,

  [out]     CRED_PROTECTION_TYPE *ProtectionType

);

BOOL CredUnprotectW(

  [in]      BOOL   fAsSelf,

  [in]      LPWSTR pszProtectedCredentials,

  [in]      DWORD  cchProtectedCredentials,

  [out]     LPWSTR pszCredentials,

  [in, out] DWORD  *pcchMaxChars

);

function CredProtect(fAsSelf: BOOL; pszCredentials: LPWSTR; cchCredentials: DWORD; out pszProtectedCredentials: LPWSTR; var pcchMaxChars: DWORD; out ProtectionType: CRED_PROTECTION_TYPE): BOOL; stdcall; external advapi32 name 'CredProtectW';

function CredUnprotect(fAsSelf: BOOL; pszProtectedCredentials: LPWSTR; cchProtectedCredentials: DWORD; out pszCredentials: LPWSTR; var pcchMaxChars: DWORD):   BOOL; stdcall; external advapi32 name 'CredUnprotectW';

and bonus (3), after checking the result of CredIsProtected, in this case or any similar, always set zero to buffer size for the first call, then call once, then check GetLastError for ERROR_INSUFFICIENT_BUFFER, there is no need to check for the result of the function itself in first call, and you have the needed in pcchMaxChars after the second, here again it is always as rule of thumb best to trim the buffer again.

AW: CredIsProtected buffer-overflow?

Ahhhhhh crap, I forgot to take the {$MINENUMSIZE 4} with me when moving to an external unit. :wall:
I've been looking everywhere for days, but I hadn't looked for this.
I thought I had made a mistake in the translation somewhere or was carrying out the call incorrectly.

Bei vielen API-Implementation, von Embarcadero und auch im neuen WinMD, muß man echt aufpassen, da Diese oft einfach nur noch aus Fehlern bestehen.
z.B. Winapi.WinCred, Soap.Win.CertHelper (im Delphi) oder Windows.Foundation, Windows.Security.Credentials und Windows.Security.Cryptography (im WinMD)

Code:

			Windows.Security.Credentials : CredReadW

out Credential: PCREDENTIALW

NOT

out Credential: CREDENTIALW

-

[out] PCREDENTIALW *Credential

Windows.Security.Credentials : CredEnumerateW

out Credential: PPCREDENTIAL

NOT

out Credential: CREDENTIALW

.

[out] PCREDENTIALW **Credential

Windows.Security.Credentials : CredUnPackAuthenticationBuffer

pszUserName: LPWSTR

NOT

{out} pszUserName: PPWSTR

-

[out] LPSTR pszUserName

https://www.delphipraxis.net/214473-...ml#post1532976

AW: CredIsProtected buffer-overflow?

I just want to know one thing :duck:

How do you manage to mess up page translate in my Chrome ? HOW ?

%90 of failure in translation or messed up pages here in this forum are from your posts !!!
Anhang 56692

That is really a talent, and i want it.

AW: CredIsProtected buffer-overflow?

I don't use the translator in Firefox either,
But at least Google's online translator can handle it quite well when different languages appear together.

https://translate.google.de
and

https://www-delphipraxis-net.transla...pp#post1534086

Many years ago, the Android app was able to find and translate texts in photos and images.

I would have guessed that the translator could do something like that in their own browser. :duck:

AW: CredIsProtected buffer-overflow?

Thanks again for your help.
Sometimes I just have tomatoes on the eyes. :coder2:

At first I thought that CredProtect was applied to the entire PCREDENTIAL, but at some point I found out that it was only applied to the CredentialBlob from the few examples that could be found on the internet.
The way I see it, you could also apply it to the attributes, but in the main data it's enough for me for now.

Now I will probably introduce a class-var for CREDENTIAL.Persist to be able to control when writing whether it should be saved locally or in the Windows-Domain. At the moment, local is enough for us here.

Code:

			CRED_PERSIST_NONE          = 0;

CRED_PERSIST_SESSION       = 1;

CRED_PERSIST_LOCAL_MACHINE = 2;

CRED_PERSIST_ENTERPRISE    = 3;

AW: CredIsProtected buffer-overflow?

You are welcome and thank you for sharing this.

A question though :

Where and how to get the scope of the credential ? (this field in screenshot)
Anhang 56699

ps: there is exceptions due a conflict in WriteToCredentialStore with "Demo ABC"

AW: CredIsProtected buffer-overflow?

When reading, currently unimplemented fields were saved in "Credential.Others".
and filled with hard default values when writing.

Yes, I left some things out of the parameters,
but recently at least moved from hard-coded defaults to class vars.

Delphi-Quellcode:

TCryptCredential.DefaultPersist := ccpEnterprise;

I'm currently in the process of moving this to GitHub.

AW: CredIsProtected buffer-overflow?