2017-06-14 1:51 GMT+05:00 Selva Nair <selva.n...@gmail.com>:
>
> On Tue, Jun 13, 2017 at 4:30 PM, Илья Шипицин <chipits...@gmail.com>
> wrote:
>
>> 2017-06-14 1:05 GMT+05:00 Selva Nair <selva.n...@gmail.com>:
>>
>>>
>>> On Tue, Jun 13, 2017 at 3:54 PM, Arne Schwabe <a...@rfc2549.org> wrote:
>>>
>>>> >
>>>> >
>>>> > if user is administrator, interactive service is not used.
>>>> > well, I did miss that about interactive service.
>>>> >
>>>>
>>>> I wonder we should always use the interactive service if available and
>>>> add (dont-use-interactive) option, so behaviour is always the same.
>>>
>>>
>>> This was done for security -- some Windows versions have broken handling
>>> of passing credentials through named pipe which could be used for privilege
>>> escalation. I have seen this exploit work only on Windows XP[*], but to be
>>> cautious we opted not to allow openvpn running as admin connect to the
>>> service pipe.
>>>
>>> But anyway, in this case its the service that's doing the wrong thing.
>>>
>>
>> well, I'm lost here.
>>
>> sounds like "we do not use interactive service if user is already an
>> administrator ... due to possible privilege escalation", right ? escalation
>> to "system" ?
>>
>
> No, just escalation from user to admin. Think of a system where iservice
> is not running. A user could start a rogue process in the background that
> listens on the service pipe. This is easily done do as the service pipe
> uses a fixed name and no authentication is needed to connect to it. Then an
> admin who starts the GUI will connect to the pipe and let the rogue program
> gain admin rights. It takes only a few line sof code to exploit this on XP
> -- I have not been able to exploit this on Vista but not 100% sure it has
> been fixed for good on Vista+.
>
I think it worth being added as a comment (or even as a unit test) to
openvpn-gui
>
> For more details see, for example, https://labs.
> portcullis.co.uk/blog/windows-named-pipes-there-and-back-again/
>
> Selva
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
