Ethereal-dev: [Ethereal-dev] [DCE RPC] Updates to SAMR and LSA dissectors
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@xxxxxx>
Date: Fri, 4 Jun 2004 19:50:58 +0200
Hello, attached are two patches for packet-dcerpc-samr.c and packet-dcerpc-lsa.c. These two patches: - fix the incorrect dissection (in ACL) of SAMR permissions as LSA permissions in the SamrQuerySecurityObject and SamrSetSecurityObject operations - dissect the permission mask in SamrOpenUser operation as a SAM_USER object permission mask - fix a problem in dissection of the LSA policy object permissions (the POLICY_AUDIT_LOG_ADMIN was present in packet-dcerpc-lsa.h but not in packet-dcerpc-lsa.c so the permission mask dissection is currently slightly wrong) - give more accurate names for LSA policy object permissions Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@xxxxxx HSC - http://www.hsc.fr/
Index: packet-dcerpc-lsa.c
===================================================================
RCS file: /cvsroot/ethereal/packet-dcerpc-lsa.c,v
retrieving revision 1.94
diff -u -r1.94 packet-dcerpc-lsa.c
--- packet-dcerpc-lsa.c 19 May 2004 04:52:31 -0000 1.94
+++ packet-dcerpc-lsa.c 4 Jun 2004 17:34:11 -0000
@@ -315,6 +315,7 @@
static gint hf_create_priv = -1;
static gint hf_set_default_quota_limits = -1;
static gint hf_set_audit_requirements = -1;
+static gint hf_audit_log_admin = -1;
static gint hf_server_admin = -1;
static gint hf_lookup_names = -1;
@@ -329,6 +330,9 @@
tree, hf_server_admin, tvb, offset, 4, access);
proto_tree_add_boolean(
+ tree, hf_audit_log_admin, tvb, offset, 4, access);
+
+ proto_tree_add_boolean(
tree, hf_set_audit_requirements, tvb, offset, 4, access);
proto_tree_add_boolean(
@@ -4403,39 +4407,39 @@
NULL, 0x0, "Flag whether all rights should be removed or only the specified ones", HFILL }},
{ &hf_view_local_info,
- { "View local info", "lsa.access_mask.view_local_info",
+ { "View non-sensitive policy information", "lsa.access_mask.view_local_info",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_VIEW_LOCAL_INFORMATION,
- "View local info", HFILL }},
+ "View non-sensitive policy information", HFILL }},
{ &hf_view_audit_info,
- { "View audit info", "lsa.access_mask.view_audit_info",
+ { "View system audit requirements", "lsa.access_mask.view_audit_info",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_VIEW_AUDIT_INFORMATION,
- "View audit info", HFILL }},
+ "View system audit requirements", HFILL }},
{ &hf_get_private_info,
- { "Get private info", "lsa.access_mask.get_privateinfo",
+ { "Get sensitive policy information", "lsa.access_mask.get_privateinfo",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_GET_PRIVATE_INFORMATION,
- "Get private info", HFILL }},
+ "Get sensitive policy information", HFILL }},
{ &hf_trust_admin,
- { "Trust admin", "lsa.access_mask.trust_admin",
+ { "Modify domain trust relationships", "lsa.access_mask.trust_admin",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_TRUST_ADMIN,
- "Trust admin", HFILL }},
+ "Modify domain trust relationships", HFILL }},
{ &hf_create_account,
- { "Create account", "lsa.access_mask.create_account",
+ { "Create special accounts (for assignment of user rights)", "lsa.access_mask.create_account",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_CREATE_ACCOUNT,
- "Create account", HFILL }},
+ "Create special accounts (for assignment of user rights)", HFILL }},
{ &hf_create_secret,
- { "Create secret", "lsa.access_mask.create_secret",
+ { "Create a secret object", "lsa.access_mask.create_secret",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_CREATE_SECRET,
- "Create secret", HFILL }},
+ "Create a secret object", HFILL }},
{ &hf_create_priv,
- { "Create privilege", "lsa.access_mask.create_priv",
+ { "Create a privilege", "lsa.access_mask.create_priv",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_CREATE_PRIVILEGE,
- "Create privilege", HFILL }},
+ "Create a privilege", HFILL }},
{ &hf_set_default_quota_limits,
{ "Set default quota limits", "lsa.access_mask.set_default_quota_limits",
@@ -4443,19 +4447,24 @@
"Set default quota limits", HFILL }},
{ &hf_set_audit_requirements,
- { "Set audit requirements", "lsa.access_mask.set_audit_requirements",
+ { "Change system audit requirements", "lsa.access_mask.set_audit_requirements",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_SET_AUDIT_REQUIREMENTS,
- "Set audit requirements", HFILL }},
+ "Change system audit requirements", HFILL }},
+
+ { &hf_audit_log_admin,
+ { "Administer audit log attributes", "lsa.access_mask.audit_log_admin",
+ FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_AUDIT_LOG_ADMIN,
+ "Administer audit log attributes", HFILL }},
{ &hf_server_admin,
- { "Server admin", "lsa.access_mask.server_admin",
+ { "Enable/Disable LSA", "lsa.access_mask.server_admin",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_SERVER_ADMIN,
- "Server admin", HFILL }},
+ "Enable/Disable LSA", HFILL }},
{ &hf_lookup_names,
- { "Lookup names", "lsa.access_mask.lookup_names",
+ { "Lookup Names/SIDs", "lsa.access_mask.lookup_names",
FT_BOOLEAN, 32, TFS(&flags_set_truth), POLICY_LOOKUP_NAMES,
- "Lookup names", HFILL }}
+ "Lookup Names/SIDs", HFILL }}
};
static gint *ett[] = {
Index: packet-dcerpc-samr.c
===================================================================
RCS file: /cvsroot/ethereal/packet-dcerpc-samr.c,v
retrieving revision 1.107
diff -u -r1.107 packet-dcerpc-samr.c
--- packet-dcerpc-samr.c 19 May 2004 04:52:30 -0000 1.107
+++ packet-dcerpc-samr.c 4 Jun 2004 17:33:52 -0000
@@ -57,6 +57,7 @@
static int hf_samr_rc = -1;
static int hf_samr_index = -1;
static int hf_samr_count = -1;
+static int hf_samr_sd_size = -1;
static int hf_samr_level = -1;
static int hf_samr_start_idx = -1;
@@ -127,6 +128,7 @@
static int hf_samr_unknown_time = -1;
static gint ett_dcerpc_samr = -1;
+static gint ett_SAM_SECURITY_DESCRIPTOR = -1;
static gint ett_samr_user_dispinfo_1 = -1;
static gint ett_samr_user_dispinfo_1_array = -1;
static gint ett_samr_user_dispinfo_2 = -1;
@@ -230,6 +232,58 @@
NULL /* Standard rights mapping */
};
+
+int
+sam_dissect_SAM_SECURITY_DESCRIPTOR_data(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ guint8 *drep)
+{
+ guint32 len;
+ dcerpc_info *di;
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
+ }
+
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ hf_samr_sd_size, &len);
+
+ dissect_nt_sec_desc(
+ tvb, offset, pinfo, tree, drep, len, &samr_connect_access_mask_info);
+
+ offset += len;
+
+ return offset;
+}
+int
+sam_dissect_SAM_SECURITY_DESCRIPTOR(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ guint8 *drep)
+{
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
+
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, -1,
+ "SAM_SECURITY_DESCRIPTOR:");
+ tree = proto_item_add_subtree(item, ett_SAM_SECURITY_DESCRIPTOR);
+ }
+
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ hf_samr_sd_size, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ sam_dissect_SAM_SECURITY_DESCRIPTOR_data, NDR_POINTER_UNIQUE,
+ "SAM SECURITY DESCRIPTOR data:", -1);
+
+ proto_item_set_len(item, offset-old_offset);
+ return offset;
+}
+
+
/* Dissect domain specific access rights */
static gint hf_access_domain_lookup_info1 = -1;
@@ -473,8 +527,9 @@
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, NULL, FALSE, FALSE);
- offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_access, NULL);
+ offset = dissect_nt_access_mask(
+ tvb, offset, pinfo, tree, drep, hf_samr_access,
+ &samr_user_access_mask_info, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, &rid);
@@ -3735,8 +3790,8 @@
pinfo->cinfo, COL_INFO, ", info type %d", info_type);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- lsa_dissect_LSA_SECURITY_DESCRIPTOR, NDR_POINTER_REF,
- "LSA_SECURITY_DESCRIPTOR pointer: ", -1);
+ sam_dissect_SAM_SECURITY_DESCRIPTOR, NDR_POINTER_REF,
+ "SAM_SECURITY_DESCRIPTOR pointer: ", -1);
return offset;
}
@@ -3778,8 +3833,8 @@
guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- lsa_dissect_LSA_SECURITY_DESCRIPTOR, NDR_POINTER_UNIQUE,
- "LSA_SECURITY_DESCRIPTOR pointer: ", -1);
+ sam_dissect_SAM_SECURITY_DESCRIPTOR, NDR_POINTER_UNIQUE,
+ "SAM_SECURITY_DESCRIPTOR pointer: ", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
@@ -5224,12 +5279,18 @@
{ &hf_access_connect_open_domain,
{ "Open domain", "samr_access_mask.connect_open_domain",
FT_BOOLEAN, 32, TFS(&flags_set_truth),
- SAMR_ACCESS_OPEN_DOMAIN, "Open domain", HFILL }}
+ SAMR_ACCESS_OPEN_DOMAIN, "Open domain", HFILL }},
+
+ { &hf_samr_sd_size,
+ { "Size", "sam.sd_size", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Size of SAM security descriptor", HFILL }}
+
};
static gint *ett[] = {
&ett_dcerpc_samr,
+ &ett_SAM_SECURITY_DESCRIPTOR,
&ett_samr_user_dispinfo_1,
&ett_samr_user_dispinfo_1_array,
&ett_samr_user_dispinfo_2,
- Follow-Ups:
- Re: [Ethereal-dev] [DCE RPC] Updates to SAMR and LSA dissectors
- From: Ronnie Sahlberg
- Re: [Ethereal-dev] [DCE RPC] Updates to SAMR and LSA dissectors
- Prev by Date: Re: [Ethereal-dev] How to use the doxygen stuff
- Next by Date: [Ethereal-dev] Understanding different time representations
- Previous by thread: Re: [Ethereal-dev] Re: [PATCH] packet-pktc.c: PKTC MTA FQDN dissector
- Next by thread: Re: [Ethereal-dev] [DCE RPC] Updates to SAMR and LSA dissectors
- Index(es):
- Get Wireshark
- Download
- Code of Conduct