| Message ID | 20240319135701.1301-2-lev@openvpn.net |
|---|---|
| State | Superseded |
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:f20a:b0:55c:c090:46f0 with SMTP id
sk10csp1912316mab;
Tue, 19 Mar 2024 06:58:35 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCW9nAQO2ygsIV3QOywmovaEVn1a8SMr80ZDIOVHme7TOjH0p1aoRuXa4CZenNKtb7ciA/aHbk3I2mg7Iv75pXc/lCCv1zQ=
X-Google-Smtp-Source:
AGHT+IFK6/Ija7FJ7DKvsEN3ImQnKic3flAzSHlo0YQmtwbI1hXeQ7TqcmW0ylcTESLdkyNzl2SF
X-Received: by 2002:a05:6a21:a589:b0:1a3:53fb:a1c5 with SMTP id
gd9-20020a056a21a58900b001a353fba1c5mr2586295pzc.3.1710856715063;
Tue, 19 Mar 2024 06:58:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1710856715; cv=none;
d=google.com; s=arc-20160816;
b=DetshQymDs/kKFXNqgTzZMqWaBzl5iAW5Ah1dx1i8AU1pQJGjcxOy2O1GGM8XVplv3
66ZGv3ihI65OM4jAZLExZCifjsQz3pnn/zTk9usB98swhZbgXo68HBz1EU3PqqqQKMdG
UBEpQPsGC2gmHMZId/6Yq4xhmTA49ZFITlf8USJnzgryEwqgCI3QF1tqKKhQNZY+8EFe
+8Y3eQfTZRJIrnHe33j+GERebu8c1NKtLdd21DCmTm5KNpw1Qi0MtK2EFeluWkEYwxaA
sXMcOZZl1TNmr0oWV9lt2qHKoxgz6oGZVSz44J4fXcyjobFtwyQqYdKu23nHT7BpvlHX
giRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:message-id:date:to:from:dkim-signature:dkim-signature
:dkim-signature;
bh=npt88K7NshH9CBck5P22UHdK//AZcahoCu977n/Br7g=;
fh=JQtvQMdY0aU81u1PtOJ6Ar75S/5wsLS1L5pTmOy/Wzo=;
b=xHK/aXKaYKywNdqwNJPVopKr16pdASCEvdBzEqhRDn9HCAQ13TGZi7cVCCsQVg3xYp
OV/w26+JMNnzoBUrIvfTGSkRaETkl2qWarDTP94ZWPDLR3ZCa43jLYeM12/w8XkfVXX2
kFcMQrgvmVCvtAFQC91efsk8nHKNIQx+0itJOQMZrtGVhyrVyidWtN+9td+D/iV3sUpX
wiTGSh+vondJDAVl7Uge291UmRGPpmLUX4iJKuqa+idGY7hTqJZ2seyAq+1UjxoCGtrG
N+UPVr+GLcVTFvzscnMwxyaJbwD4YptuxTOC5rfh5KgXGQNsODiV9vB5e4Cgx9IRW883
UAow==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=QHoWA9E1;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=RJrOx2Qt;
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20230601 header.b=Wni+hRhx;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
z15-20020a170902d54f00b001deddd7b79fsi10644523plf.546.2024.03.19.06.58.34
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Tue, 19 Mar 2024 06:58:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=QHoWA9E1;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=RJrOx2Qt;
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20230601 header.b=Wni+hRhx;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1rmZyo-0001eo-DY;
Tue, 19 Mar 2024 13:58:15 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <lstipakov@gmail.com>) id 1rmZym-0001eY-Rb
for openvpn-devel@lists.sourceforge.net;
Tue, 19 Mar 2024 13:58:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=; b=QHoWA9E13oxBshqafv9l0J80F9
cvNz7dxZvw3q2yZCti+qvP/ifOxQN3mtbJCFb4ec7cfzXUtuaCYJztqcnHTM9KVZ/GO4bXOEy7Jvw
63jHrRoxMIL0jpZP16C5v42TO7ju9V2w8YAlfYS+5NsUIlUbiLvx/qmMY1KMLconvpSw=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
:Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=; b=R
JrOx2QtCqPT5XogyJGtlvqLCqkVagfGmEaZ6Nt7NuZQsWipb6FrXue0a8LsoNgiSfFAETvPaDhN4K
crN3cNCi4C+ptOnDOZGGMWUXgfAYVIOZOvyn8oDrDStj8qcXIdvq7K+uylzDP2Zu2Aszl+YFJepAu
+Xj799ICMn/Jr9RA=;
Received: from mail-pl1-f180.google.com ([209.85.214.180])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1rmZye-0000NW-9h for openvpn-devel@lists.sourceforge.net;
Tue, 19 Mar 2024 13:58:13 +0000
Received: by mail-pl1-f180.google.com with SMTP id
d9443c01a7336-1e0189323b4so17344865ad.1
for <openvpn-devel@lists.sourceforge.net>;
Tue, 19 Mar 2024 06:58:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710856681; x=1711461481;
darn=lists.sourceforge.net;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=;
b=Wni+hRhx5feQ8hHHLFj3RymalVJnTmD3xjkpfl5VssnoB+P4BnIzvkLHY8X8H0bpGe
w8beIm1cgLLLZQNGSsfHQO2DMXdAvZ8x31FA0Kjnr3d/1NS2RssoUWPU1Ju9bw49EPR5
LlnZyXY5OiHIgMSJyJBPxZL3DwZoEU+4RNb2IJSGa8u+WzvhM8V+fy0vg7ofYDvXrWkM
egcd7LFxPNxqEubDMq+SEqr3oFQfl5UyK6XTVB9tWv7xiljyF2KLq5+/h1FaAjdMmPAp
mptBzcBhyHs1+dQTmevl64PuSy/7J4eomSsD0yDXTpl/5Oq+vHnIecsaWbanuIQL3gfH
Ne+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710856681; x=1711461481;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=;
b=pd2+mt7HeOTBWCwNcH6cH0AbPxezmYHNzKLzG/itvd+83FwTQKiLm0Kq6IythDwd1e
7YC1A2HDeGbl3j1zZqXe2xT8S8pO1kyL/tYe1x34uiki1TGoK+PnsKLPp3VnhX8T0dph
bqYvxEErk7s8CAe91zzRRCaGSSes4Gpdz1SA9yQcg4BTT9nEFjdWEGGLglyqykNvVF31
pI0aE1BI0z9jVjLZD/01KRj4hQzx7CUVhgzPbZGJMxjuCjE8tD11W626qXnSvDk7L6s0
J8+QQeseLKI+kjl/ldlnLQ3hTHzFw5X8xdoRFb/QnT9dYCrcnKWOFCCVVXkYB8rXolRI
6m/g==
X-Gm-Message-State: AOJu0Yzwp768mT+G6nnuzS+G/36Nit0RwMYi17qLRgSaOVyhoxWn41Fw
aP7yan+FHJ9JHeawboejJSJkmwAy109cxPlyRiBT3oujhEVDf0ijO4yzXXxHAIg=
X-Received: by 2002:a17:90a:bc94:b0:29c:75b0:de87 with SMTP id
x20-20020a17090abc9400b0029c75b0de87mr12132669pjr.4.1710856680852;
Tue, 19 Mar 2024 06:58:00 -0700 (PDT)
Received: from localhost.localdomain ([2a00:1d50:3:0:21d0:d153:5fa3:f06b])
by smtp.gmail.com with ESMTPSA id
nr5-20020a17090b240500b0029df50abe91sm8431631pjb.2.2024.03.19.06.57.59
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 19 Mar 2024 06:58:00 -0700 (PDT)
From: Lev Stipakov <lstipakov@gmail.com>
X-Google-Original-From: Lev Stipakov <lev@openvpn.net>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Mar 2024 15:56:51 +0200
Message-ID: <20240319135701.1301-2-lev@openvpn.net>
X-Mailer: git-send-email 2.42.0.windows.2
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-2.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Remote access to the service pipe is not needed and might
be a potential attack vector. For example,
if an attacker manages to get credentials
for a user which is the member of "OpenVPN Administrators" group on a victim
machine, an attacker might be able to communicate with the privilege [...]
Content analysis details: (-0.2 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [209.85.214.180 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider [lstipakov[at]gmail.com]
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily
valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[209.85.214.180 listed in wl.mailspike.net]
0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
-0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Headers-End: 1rmZye-0000NW-9h
Subject: [Openvpn-devel] [PATCH] interactive.c: disable remote access to the
service pipe
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Lev Stipakov <lev@openvpn.net>, Heiko Hund <heiko@openvpn.net>,
Vladimir Tokarev <vtokarev@microsoft.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1793963290531534254?=
X-GMAIL-MSGID: =?utf-8?q?1793963290531534254?=
|
| Series |
[Openvpn-devel] interactive.c: disable remote access to the service pipe
|
expand
|
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 24e3f341..6a977b68 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID) openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance); pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) {