On Mon, Feb 1, 2016 at 1:41 PM, Heiko Hund <heiko.h...@sophos.com> wrote:
> On Monday 1 February 2016 11:34:47 Selva Nair wrote: > > A more serious problem is related to the the service requiring > connections > > from UI with impersonation allowed. Again, an unprivileged process > > pretending to be the service could escalate privileges if an OpenVPNGUI > > instance running as admin connects to it. This looks easy to exploit. > > > > Possible mitigation: > > (i) The GUI should not connect to the interactive service if running with > > elevated privileges > > (ii) openvpn.exe should not honor the --msg-channel option if running > with > > elevated privileges > > Yeah. The point is no to run the GUI as admin anymore in the first place. > So > we could just do (ii) and be sure that this is circumvented. As discussed in the IRC meeting, the critical issue was whether the GUI (running as admin) connecting to a rogue named pipe server could allow privilege escalation by that server process. I did some tests on this. On Windows XP this is exploitable --- i.e., with a pipe server running as a limited user with the GUI started using runas admin. However, on Windows 7 and 10 attempts at elevation failed at least by the approach I imagined. And based on what I hear, Vista and above appear to be immune from this attack. It may be better to make the GUI not connect to the service pipe if running as admin. Thanks, Selva
