Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1333?usp=email
to look at the new patch set (#2).
Change subject: openvpnserv: validate openvpn-gui process path
......................................................................
openvpnserv: validate openvpn-gui process path
Ensure that the service pipe client process (which is openvpn-gui)
is from openvpn binary directory, defined in registry. This limits
unauthorized connections to the service pipe.
Reported-by: Abdul Mhanni <[email protected]>
Change-Id: Ie990f4dd10094810d6632f8dedfa261727ebfbcb
Signed-off-by: Lev Stipakov <[email protected]>
---
M src/openvpnserv/interactive.c
M src/openvpnserv/validate.c
M src/openvpnserv/validate.h
3 files changed, 55 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/33/1333/2
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index ce0d4dd..f4b3311 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -3275,6 +3275,12 @@
ZeroMemory(&undo_lists, sizeof(undo_lists));
ZeroMemory(&proc_info, sizeof(proc_info));
+ if (!ValidateServicePipeClient(pipe, &settings))
+ {
+ ReturnError(pipe, ERROR_ACCESS_DENIED, L"ValidateServicePipeClient",
1, &exit_event);
+ goto out;
+ }
+
if (!GetStartupData(pipe, &sud))
{
goto out;
diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 2187fb5..c5688d2 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -342,3 +342,48 @@
return TRUE;
}
+
+BOOL
+ValidateServicePipeClient(HANDLE pipe, const settings_t *s)
+{
+ ULONG clientPID = 0;
+ if (!GetNamedPipeClientProcessId(pipe, &clientPID))
+ {
+ MsgToEventLog(M_SYSERR, L"GetNamedPipeClientProcessId() failed");
+ return FALSE;
+ }
+
+ HANDLE hProc = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE,
clientPID);
+ if (hProc == NULL)
+ {
+ MsgToEventLog(M_SYSERR, L"OpenProcess() failed");
+ return FALSE;
+ }
+
+ wchar_t path[MAX_PATH] = { 0 };
+ DWORD size = _countof(path);
+ BOOL res = FALSE;
+ if (QueryFullProcessImageNameW(hProc, 0, path, &size))
+ {
+ WCHAR bin_dir[MAX_PATH];
+
+ /* canonicalize bin_dir and add trailing slash before comparison */
+ HRESULT hr = PathCchCanonicalizeEx(bin_dir, _countof(bin_dir),
s->bin_dir,
+ PATHCCH_ENSURE_TRAILING_SLASH);
+ if ((hr == S_OK) && wcsncmp(bin_dir, path, wcslen(bin_dir)) == 0)
+ {
+ res = TRUE;
+ }
+ else
+ {
+ MsgToEventLog(M_ERR, L"Reject client from untrusted path %ls",
path);
+ }
+ }
+ else
+ {
+ MsgToEventLog(M_SYSERR, L"QueryFullProcessImageNameW() failed");
+ }
+ CloseHandle(hProc);
+
+ return res;
+}
diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h
index 6f3bf09..495902d 100644
--- a/src/openvpnserv/validate.h
+++ b/src/openvpnserv/validate.h
@@ -49,4 +49,8 @@
return (wcsncmp(o, L"--", 2) == 0);
}
+/* Ensures that the service pipe client (openvpn-gui process)
+ * is from OpenVPN binary directory */
+BOOL ValidateServicePipeClient(HANDLE pipe, const settings_t *s);
+
#endif /* ifndef VALIDATE_H */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1333?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie990f4dd10094810d6632f8dedfa261727ebfbcb
Gerrit-Change-Number: 1333
Gerrit-PatchSet: 2
Gerrit-Owner: stipa <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
