On Wed, Jul 17, 2019 at 8:20 AM Lev Stipakov <lstipa...@gmail.com> wrote:

> Hi,
> Sorry for delay - I was on vacation.
> (i) The new message is named message_open_tun, but it allows opening
>> any file using the service. This is not secure.
> I am thinking of possible vector of attack here.
> In our case it is service which launches openvpn process using
> path set in registry, opens pipe and passes pipe handle to launched
> process.
> To make service run malicious process one needs either to replace
> executable or
> modify registry. For both actions you need to be administrator, assuming
> default security policy.
> Alternatively, can random process hijack the pipe handle from another
> process?

Because the pipe handle is targeted for OpenVPN process id and not
inheritable that may not be possible. But an attack is very simple:

Just write a plugin and use the service to open files from it. Passing the
pipe handle to the plugin is trivial. Anyone in OpenVPNAdministrators group
can then use a custom config file and get access any file on the system.
Membership in that group is not supposed to provide any privileges to
limited users beyond setting up routes or manipulating some interface

>> We need to restrict it to open tun/tap device nodes only.
> Without adding too much code, I can think of:
>  - check that path starts with \\\\.\\Global\\ to make sure we open
> device, not file
> and
>  - check that path starts with \\\\.\\Global\\WINTUN or ends with .tap
> Is this good enough or do you have better ideas?

That'll probably work with some extra sanity checks on the file name.
Ideally we should just pass the dev-node (empty if unspecified) and type of
device (TAP6 or WINTUN), but that will require a lot of  duplication of
code in the service, as you noted.

One option is to pass the device guid in case of tap or the index in case
of wintun and construct the path in the service. That requires very little
extra code. Otherwise a thorough sanitization of the path is required as
there could be obscure ways of breaking out using "..\" or otherwise,
though I'm not sure. Things like \\.\C:\..\D:\ works on Windows so I won't
take any chances.


PS. Just noticed you've already posted a v4 -- I haven't looked at it yet.
Openvpn-devel mailing list

Reply via email to