On Tuesday 31 July 2012 14:14:10 David Sommerseth wrote: > - From another point of view, an evil plug-in would have to know/figure > out the address to x_msg() ... so that would require a bit more work, > at least to work against different distro/compiler/linker > combinations, as it's not given the address will be the same. > However, it's not necessarily hard to figure it out, but requires more > work. And an evil plug-in would anyway need to first be installed > somehow too. So I consider this attack vector less attractive.
All the symbols are exported to plugins, so it's just a matter of adding the function prototype and flag values, if you do care at all. > And, AFAIK, you can't use dlsym() without a handle to a shared lib > opened with dlopen(). And I don't think you can't export the log > function in the openvpn-plugin.h file as an external function, as the > plug-in would fail to link (I would expect the linker wouldn't find > the required symbol) ... which then brings us back to the point where > you need to send a pointer to the log function to the plug-in ... > That's basically how I came to this conclusion. The dynamic linker resolves undefined symbols in the plugin automagically, so there's no need to get the address by hand. Haven't tested on Windows, but the symbols are there as well. We could limit the exported functions by hand, but then plugins should not be considered evil. We kind of had the discussion during the interactive service privilege escalation discussion a while ago. If you let someone into your home, you better make sure you trust him anyway. =) Heiko -- Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200 SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany
