On Tue, Jun 13, 2017 at 4:30 PM, Илья Шипицин <chipits...@gmail.com> wrote:
> 2017-06-14 1:05 GMT+05:00 Selva Nair <selva.n...@gmail.com>:
>
>>
>> On Tue, Jun 13, 2017 at 3:54 PM, Arne Schwabe <a...@rfc2549.org> wrote:
>>
>>> >
>>> >
>>> > if user is administrator, interactive service is not used.
>>> > well, I did miss that about interactive service.
>>> >
>>>
>>> I wonder we should always use the interactive service if available and
>>> add (dont-use-interactive) option, so behaviour is always the same.
>>
>>
>> This was done for security -- some Windows versions have broken handling
>> of passing credentials through named pipe which could be used for privilege
>> escalation. I have seen this exploit work only on Windows XP[*], but to be
>> cautious we opted not to allow openvpn running as admin connect to the
>> service pipe.
>>
>> But anyway, in this case its the service that's doing the wrong thing.
>>
>
> well, I'm lost here.
>
> sounds like "we do not use interactive service if user is already an
> administrator ... due to possible privilege escalation", right ? escalation
> to "system" ?
>
No, just escalation from user to admin. Think of a system where iservice is
not running. A user could start a rogue process in the background that
listens on the service pipe. This is easily done do as the service pipe
uses a fixed name and no authentication is needed to connect to it. Then an
admin who starts the GUI will connect to the pipe and let the rogue program
gain admin rights. It takes only a few line sof code to exploit this on XP
-- I have not been able to exploit this on Vista but not 100% sure it has
been fixed for good on Vista+.
For more details see, for example,
https://labs.portcullis.co.uk/blog/windows-named-pipes-there-and-back-again/
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
