Re: [Openvpn-devel] ASLR/DEP -enabled 2.4.0 Windows installer available

2017-01-23 Thread Samuli Seppänen 
Il 21/01/2017 05:11, Selva Nair ha scritto:
> Hi,
> On Fri, Jan 20, 2017 at 11:42 AM, Selva Nair  > wrote:
>
> On Fri, Jan 20, 2017 at 9:43 AM, Samuli Seppänen
> mailto:sam...@openvpn.net>> wrote:
> Thanks for testing! I think we just have to merge the ASLR/DEP
> change in
> openvpn-build and see what happens.
>
>
> For ASLR we may have to add some option to get reloc information
> into the exe? As per discussion under GUI PR 123
> (https://github.com/OpenVPN/openvpn-gui/pull/123
> ) mingw does not do
> this by default. There --export-all-symbols is used, which I think
> is a terrible hack.
>
> Checking aslr is enabled or not using process explorer may help --
> openssl dll has to be checked too.
>
>
> Checked this on win7. Process explorer shows ASLR flag is set on the
> executable. But ASLR is not really active. The GUI is loaded at the same
> address each time (as per vmmap from sysinternals). I see no address
> randomization.
>
> Recompiling by exporting at least one function fixes this so the linker
> is indeed not adding reloc section to the exe otherwise.
>
> The build option does make ASLR work for openssl dll so the only thing
> missing there was the flag in the header. Not so for the executables.
>
> We need to find some fix for this, else I fear this will be ASLR in name
> only.
>
> Selva

So we need a small code change in OpenVPN to get ASLR actually working, 
like in OpenVPN GUI?



In particular something like this:



Correct?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ASLR/DEP -enabled 2.4.0 Windows installer available

2017-01-23 Thread Selva Nair 
Hi,

On Mon, Jan 23, 2017 at 4:55 AM, Samuli Seppänen  wrote:

>
>> Checked this on win7. Process explorer shows ASLR flag is set on the
>> executable. But ASLR is not really active. The GUI is loaded at the same
>> address each time (as per vmmap from sysinternals). I see no address
>> randomization.
>>
>> Recompiling by exporting at least one function fixes this so the linker
>> is indeed not adding reloc section to the exe otherwise.
>>
>> The build option does make ASLR work for openssl dll so the only thing
>> missing there was the flag in the header. Not so for the executables.
>>
>> We need to find some fix for this, else I fear this will be ASLR in name
>> only.
>>
>> Selva
>>
>
> So we need a small code change in OpenVPN to get ASLR actually working,
> like in OpenVPN GUI?
>
> 
>
> In particular something like this:
>
>  2045016cb90d1e65d71c2407a2570927R72>
>
> Correct?


There are many suggestions online including add --export-all-symbols to
LDFLAGS, mark main() with dllexport etc. I thought --export-all-symbols is
an overkill and suggested to just export a dummy variable for the GUI.

I don't fully understand how ASLR is implemented on Windows but my tests
show code, stack, heap and PEB addresses are randomized if dynamicbase flag
is on and there is a .reloc section in the exec (ld appears to add this
only if something is exported). So I can only say this works, not sure its
the best workaround.

I wrote a small program to see ASLR in action: it prints some
representative pointers to code, stack, heap etc to see how they change
between runs. The program and test results are here <
https://gist.github.com/selvanair/c8ffa0fe60710e05c0e38f7d0097468d>

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

2017-01-23 Thread Selva Nair 
Hi,

On Sat, Jan 14, 2017 at 4:16 PM,  wrote:

> From: Selva Nair 
>
> Currently the username unqualified by the domain is used to validate
> a user which fails for domain users. Instead authorize the user
>
> (i) if the built-in admin group or ovpn_admin group is in the process token
> (ii) else if the user's SID is in the built-in admin or ovpn_admin groups
>
> The second check is needed to recognize dynamic updates to group membership
> on the local machine that will not be reflected in the token.
>
> These checks do not require connection to a domain controller and will
> work even when user is logged in with cached credentials.
>
> Resolves Trac: #810
>
> v2: include the token check as described above


Bump :) This addresses a critical issue that I would like to see fixed in
2.4.1..

Thanks,

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel