Hi Fabian, On Friday 09 March 2012 16:34:19 Fabian Knittel wrote: > Does your > approach prevent the user from injecting code into the OpenVPN > process? Or does it only prevent the user from directly accessing the > pipe? (IIUC you would need the integrity level approach to prevent the > former so I assume you're describing how the pipe handle will be > protected instead.)
It tries to prevent both. While protecting the elevation pipe to the service from arbitrary use is the actual goal it can only be achieved by also protecting the process from modification. In Windows you can clone handles (i.e. the pipe handle) from another process into your process if you have sufficient rights. As Carsten pointed out one could also inject code into the openvpn.exe process and use the pipe in-process in a unintended way. I'm currently uncertain if it's possible to duplicate the pipe handle if access to the process itself is limited down to a minimum. I guess it is. The integrity level thing is actually just a more convenient/automatic way to limit access to processes. Instead of limiting access manually through ACLs Windows will take care that a process with lower integrity level has limited access to one with a higher level by taking away rights of the calling process on a call by call basis during runtime. Regards Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200 Astaro a Sophos Company | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe Represented by the General Partner Astaro Verwaltungs GmbH Amalienbadstraße 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
