From patchwork Tue Mar 19 13:56:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 3655 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:f20a:b0:55c:c090:46f0 with SMTP id sk10csp1912316mab; Tue, 19 Mar 2024 06:58:35 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW9nAQO2ygsIV3QOywmovaEVn1a8SMr80ZDIOVHme7TOjH0p1aoRuXa4CZenNKtb7ciA/aHbk3I2mg7Iv75pXc/lCCv1zQ= X-Google-Smtp-Source: AGHT+IFK6/Ija7FJ7DKvsEN3ImQnKic3flAzSHlo0YQmtwbI1hXeQ7TqcmW0ylcTESLdkyNzl2SF X-Received: by 2002:a05:6a21:a589:b0:1a3:53fb:a1c5 with SMTP id gd9-20020a056a21a58900b001a353fba1c5mr2586295pzc.3.1710856715063; Tue, 19 Mar 2024 06:58:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710856715; cv=none; d=google.com; s=arc-20160816; b=DetshQymDs/kKFXNqgTzZMqWaBzl5iAW5Ah1dx1i8AU1pQJGjcxOy2O1GGM8XVplv3 66ZGv3ihI65OM4jAZLExZCifjsQz3pnn/zTk9usB98swhZbgXo68HBz1EU3PqqqQKMdG UBEpQPsGC2gmHMZId/6Yq4xhmTA49ZFITlf8USJnzgryEwqgCI3QF1tqKKhQNZY+8EFe +8Y3eQfTZRJIrnHe33j+GERebu8c1NKtLdd21DCmTm5KNpw1Qi0MtK2EFeluWkEYwxaA sXMcOZZl1TNmr0oWV9lt2qHKoxgz6oGZVSz44J4fXcyjobFtwyQqYdKu23nHT7BpvlHX giRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=npt88K7NshH9CBck5P22UHdK//AZcahoCu977n/Br7g=; fh=JQtvQMdY0aU81u1PtOJ6Ar75S/5wsLS1L5pTmOy/Wzo=; b=xHK/aXKaYKywNdqwNJPVopKr16pdASCEvdBzEqhRDn9HCAQ13TGZi7cVCCsQVg3xYp OV/w26+JMNnzoBUrIvfTGSkRaETkl2qWarDTP94ZWPDLR3ZCa43jLYeM12/w8XkfVXX2 kFcMQrgvmVCvtAFQC91efsk8nHKNIQx+0itJOQMZrtGVhyrVyidWtN+9td+D/iV3sUpX wiTGSh+vondJDAVl7Uge291UmRGPpmLUX4iJKuqa+idGY7hTqJZ2seyAq+1UjxoCGtrG N+UPVr+GLcVTFvzscnMwxyaJbwD4YptuxTOC5rfh5KgXGQNsODiV9vB5e4Cgx9IRW883 UAow==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QHoWA9E1; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=RJrOx2Qt; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=Wni+hRhx; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id z15-20020a170902d54f00b001deddd7b79fsi10644523plf.546.2024.03.19.06.58.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2024 06:58:35 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QHoWA9E1; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=RJrOx2Qt; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=Wni+hRhx; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rmZyo-0001eo-DY; Tue, 19 Mar 2024 13:58:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rmZym-0001eY-Rb for openvpn-devel@lists.sourceforge.net; Tue, 19 Mar 2024 13:58:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=; b=QHoWA9E13oxBshqafv9l0J80F9 cvNz7dxZvw3q2yZCti+qvP/ifOxQN3mtbJCFb4ec7cfzXUtuaCYJztqcnHTM9KVZ/GO4bXOEy7Jvw 63jHrRoxMIL0jpZP16C5v42TO7ju9V2w8YAlfYS+5NsUIlUbiLvx/qmMY1KMLconvpSw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=; b=R JrOx2QtCqPT5XogyJGtlvqLCqkVagfGmEaZ6Nt7NuZQsWipb6FrXue0a8LsoNgiSfFAETvPaDhN4K crN3cNCi4C+ptOnDOZGGMWUXgfAYVIOZOvyn8oDrDStj8qcXIdvq7K+uylzDP2Zu2Aszl+YFJepAu +Xj799ICMn/Jr9RA=; Received: from mail-pl1-f180.google.com ([209.85.214.180]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rmZye-0000NW-9h for openvpn-devel@lists.sourceforge.net; Tue, 19 Mar 2024 13:58:13 +0000 Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1e0189323b4so17344865ad.1 for ; Tue, 19 Mar 2024 06:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710856681; x=1711461481; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=; b=Wni+hRhx5feQ8hHHLFj3RymalVJnTmD3xjkpfl5VssnoB+P4BnIzvkLHY8X8H0bpGe w8beIm1cgLLLZQNGSsfHQO2DMXdAvZ8x31FA0Kjnr3d/1NS2RssoUWPU1Ju9bw49EPR5 LlnZyXY5OiHIgMSJyJBPxZL3DwZoEU+4RNb2IJSGa8u+WzvhM8V+fy0vg7ofYDvXrWkM egcd7LFxPNxqEubDMq+SEqr3oFQfl5UyK6XTVB9tWv7xiljyF2KLq5+/h1FaAjdMmPAp mptBzcBhyHs1+dQTmevl64PuSy/7J4eomSsD0yDXTpl/5Oq+vHnIecsaWbanuIQL3gfH Ne+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710856681; x=1711461481; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WZ7s+gnsDF46QB2uWOQDKx2BXdI5/Rn1iksj0KCliRQ=; b=pd2+mt7HeOTBWCwNcH6cH0AbPxezmYHNzKLzG/itvd+83FwTQKiLm0Kq6IythDwd1e 7YC1A2HDeGbl3j1zZqXe2xT8S8pO1kyL/tYe1x34uiki1TGoK+PnsKLPp3VnhX8T0dph bqYvxEErk7s8CAe91zzRRCaGSSes4Gpdz1SA9yQcg4BTT9nEFjdWEGGLglyqykNvVF31 pI0aE1BI0z9jVjLZD/01KRj4hQzx7CUVhgzPbZGJMxjuCjE8tD11W626qXnSvDk7L6s0 J8+QQeseLKI+kjl/ldlnLQ3hTHzFw5X8xdoRFb/QnT9dYCrcnKWOFCCVVXkYB8rXolRI 6m/g== X-Gm-Message-State: AOJu0Yzwp768mT+G6nnuzS+G/36Nit0RwMYi17qLRgSaOVyhoxWn41Fw aP7yan+FHJ9JHeawboejJSJkmwAy109cxPlyRiBT3oujhEVDf0ijO4yzXXxHAIg= X-Received: by 2002:a17:90a:bc94:b0:29c:75b0:de87 with SMTP id x20-20020a17090abc9400b0029c75b0de87mr12132669pjr.4.1710856680852; Tue, 19 Mar 2024 06:58:00 -0700 (PDT) Received: from localhost.localdomain ([2a00:1d50:3:0:21d0:d153:5fa3:f06b]) by smtp.gmail.com with ESMTPSA id nr5-20020a17090b240500b0029df50abe91sm8431631pjb.2.2024.03.19.06.57.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Mar 2024 06:58:00 -0700 (PDT) From: Lev Stipakov X-Google-Original-From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Mar 2024 15:56:51 +0200 Message-ID: <20240319135701.1301-2-lev@openvpn.net> X-Mailer: git-send-email 2.42.0.windows.2 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privilege [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.214.180 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.214.180 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rmZye-0000NW-9h Subject: [Openvpn-devel] [PATCH] interactive.c: disable remote access to the service pipe X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov , Heiko Hund , Vladimir Tokarev Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1793963290531534254?= X-GMAIL-MSGID: =?utf-8?q?1793963290531534254?= Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privileged interactive service on a victim machine and start openvpn processes remotely. Reported-by: Vladimir Tokarev Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- src/openvpnserv/interactive.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 24e3f341..6a977b68 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID) openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance); pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) {