From patchwork Wed Jun 19 13:44:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 3738 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a501:b0:57d:b2cb:6cf with SMTP id hh1csp283823mab; Wed, 19 Jun 2024 06:46:09 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVCzmABKNYtvTJb3a4oRWn33sL4qMxZqhIZUWHcbNmfoxqZ/ECxMwLAuEYNhvdvnUpfa3aaRqv22loM+UQOj4PtVeXZhHg= X-Google-Smtp-Source: AGHT+IFAgmLsgJTRcnuHHwLHp4PLIkN5tcuBVfk4Kul+KYsxdUKyZJmTuHgp9ByAthNYCsGGvhsQ X-Received: by 2002:a05:6a20:3c9f:b0:1af:acda:979d with SMTP id adf61e73a8af0-1bcbb5849bcmr2625789637.1.1718804769568; Wed, 19 Jun 2024 06:46:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718804769; cv=none; d=google.com; s=arc-20160816; b=izrppK32iWdejL9/md3+8AeLpU+7zfROlr/5Ntoi4GBxpzhGmSkHANG4EnYu/L2qz1 goZ00oApvzss78t83/BOoQNnUzSieRQ4yUxuz2h3WAX1UM5pu1DganU1BPPaqXvz/E1+ wP00j3XI7tuDHwOGdKPUQ104QX4A51VltME0oHdgamhiX2OursQOIJb1dnHFGuuW+f+/ zFYdePDK6bght50OUR0mMiiLkM0OvjpnNYUoUEpoWb1A6RgKnkDviqPEWFrSHsdsHs35 tXKnjisQqMnKY3qj637LB2fAnUrfMjWo5UIQxsqK896wMzp6PVVD0OHgQ2sg0Dqg7CZl e67g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=UsZ9jO6ImD4zRiF8ElnhjqDSp6Kk8EWpJfkKSF24shw=; fh=ZRBZ3p4fvLYBwsG7McdxRCx2fnmH9YCsPK+JAqT+6LA=; b=r/1JzccbZE/9xeSvKHJ8QqCs6XkDyT67dnPhRN+vfxTKZHj95ygBpswhHVpNguG9vL Dz0I9qOe2mNfaN9Xm4vZ5gOmmEavZ749iImwKiASIDbWRVClQiCzK+4UqrpbSiJS43mW 7STyFcINKhvQsD0eaRLl0UN7mEYAXYCZMIGXQrQF/EMkqyVYzfGAopoec0WAccVxshk8 2BltiyAtu3YSs0uy/bQT7TwQZAOPQmMeUy57rBa6dGa15Hbs8dU0VOi8DRNm5CtNVzrW 7rFSg/MO5FHKwbdVG2IHNB9d3/QGWYRRlRPH4JFYVnUjamOnZctwFdXZRrgrmZrbDjuq pNmQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SsYNWSld; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=LzMN1aXN; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=KN40vuND; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d2e1a72fcca58-705ccb9bbf4si13118151b3a.338.2024.06.19.06.46.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Jun 2024 06:46:09 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SsYNWSld; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=LzMN1aXN; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=KN40vuND; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sJvdE-0000JW-MD; Wed, 19 Jun 2024 13:45:48 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sJvdE-0000JQ-09 for openvpn-devel@lists.sourceforge.net; Wed, 19 Jun 2024 13:45:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jPqpOmDnGKUdtLpzKXsCMTrWuu6iuR+v+MLxuPsPyZk=; b=SsYNWSld72KTI+5nTcwggsnUdP 8zJR1JaKPLwEDvpMWdDwrahMIPwuUN+Bi4QG7MQQWF1zuzZujZaPLJI61IfOp2ypdtm5SPDgzSoA0 Cm/DoaeRDDhHFecZVDyy7O+YlwULW/3m1Nor6xRmfB4a7vBFun7TrAG49MugSqHDGXl0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=jPqpOmDnGKUdtLpzKXsCMTrWuu6iuR+v+MLxuPsPyZk=; b=L zMN1aXNUvcpG4PfmSRTnnWcmyGPTiuVFcJThCNydxo/afnleInGTzR8fJSG+7bikW7Tc+NC9kjBrM 98lZ7G4R5BAGH9HzYoq81J78rv32/rwh6IEV72NAEfNP2FUYEk25LkGyJ2O4TwLHJLULlVxsIHonB vw/FHttKyT9UkQmU=; Received: from mail-lj1-f177.google.com ([209.85.208.177]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sJvdE-0004BC-4R for openvpn-devel@lists.sourceforge.net; Wed, 19 Jun 2024 13:45:48 +0000 Received: by mail-lj1-f177.google.com with SMTP id 38308e7fff4ca-2ebeefb9a7fso84566251fa.0 for ; Wed, 19 Jun 2024 06:45:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718804735; x=1719409535; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jPqpOmDnGKUdtLpzKXsCMTrWuu6iuR+v+MLxuPsPyZk=; b=KN40vuNDxqBiH15Y9RmtszVkSlBEp3VCzNcTADjVqhrmu5fh+FAeQ6LsRIofanBIWN 4xQv+L9phUvmmXLdcPFOj/q6Q9+WYH3oROtjs5Rnp3TPFobLsGrDnTyd0wFET7WJETZx tOoSVw6e2Gw4+GhcViMf7BEULHn2y4CQGFsH6uWzUj0b3uusYY3EO3sTQ/Ihwl13MsTa 5w9Wk4taJRves4tC4GChC72/HMd29kk/DaYwHxIlVrLdsPxV7HP6aOciVa8/P8V79CRc +sHyVYauQYZpwu9og+AP8vIicAbK5BUon2Jv/aJtwYuabnKrMelLFyjEcoXK6aPkyYl0 z1OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718804735; x=1719409535; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jPqpOmDnGKUdtLpzKXsCMTrWuu6iuR+v+MLxuPsPyZk=; b=PrDPlk2EXDNCUCQspumRpN9Js/RyHFH6EjFTbbTOKKlAHHlzPHquRCyhQvHwsGhZvA k8AWQHbLoQoufAPsRFNwdxgKUv9dG151yMgZxPSFNncdlCxd6XZyKAfeZ6UHaeQUS1Au FBoqGHu6FxWVRvCeiaikKjSojn3Em20fYrh6ty28VUF8oCtSUoHfLZwTYwk35zPc12TV AjmgRhb/r3N1d+qL/RILBu3ryCCg27y7SKQYHtrA3z1m8l0wQQmxRALM+Ws/VYDnxmEF dvRjiL7mSKEceNPI8YBqIjLFi+78PUYWg/f0bcwNUXoCodnPjAHN4cZxnUAdFTP6Qk+o C8fw== X-Gm-Message-State: AOJu0YzTrSplB63n4Loojr69SfuTayhbd2aeCW3HwBIR1Fc+xpL5XCCq JS/+T3khXxnUz3LXaRURf84GEKDZTCkbhJNO8APg8vddjToQkWQKTEoKIA== X-Received: by 2002:a2e:9b08:0:b0:2ec:21f3:b67b with SMTP id 38308e7fff4ca-2ec3cfd6744mr17787051fa.37.1718804733083; Wed, 19 Jun 2024 06:45:33 -0700 (PDT) Received: from localhost.localdomain ([2a00:1d50:3:0:7d1d:e48e:7065:c7b2]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-2ec05c89a99sm19328881fa.107.2024.06.19.06.45.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jun 2024 06:45:32 -0700 (PDT) From: Lev Stipakov X-Google-Original-From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Wed, 19 Jun 2024 16:44:23 +0300 Message-ID: <20240619134451.222-1-lev@openvpn.net> X-Mailer: git-send-email 2.42.0.windows.2 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: At the moment everyone but anonymous are permitted to create a pipe with the same name as interactive service creates, which makes it possible for malicious process with SeImpersonatePrivilege imperso [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.177 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.177 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.177 listed in wl.mailspike.net] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [209.85.208.177 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1sJvdE-0004BC-4R Subject: [Openvpn-devel] [PATCH] interactive.c: Improve access control for gui<->service pipe X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1802297430085499668?= X-GMAIL-MSGID: =?utf-8?q?1802297430085499668?= At the moment everyone but anonymous are permitted to create a pipe with the same name as interactive service creates, which makes it possible for malicious process with SeImpersonatePrivilege impersonate as local user. This hardens the security of the pipe, making it possible only for processes running as SYSTEM (such as interactive service) create the pipe with the same name. While on it, replace EXPLICIT_ACCESS structures with SDDL string. CVE: 2024-4877 Change-Id: I35e783b79a332d247606e05a39e41b4d35d39b5d Reported by: Zeze with TeamT5 Signed-off-by: Lev Stipakov --- v2: - ensure that sd is freed even if pipe creation failed - added Reported-By src/openvpnserv/interactive.c | 81 +++++++++++++---------------------- 1 file changed, 29 insertions(+), 52 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index d32223ce..6da8ee5d 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2137,73 +2137,50 @@ ServiceCtrlInteractive(DWORD ctrl_code, DWORD event, LPVOID data, LPVOID ctx) static HANDLE CreateClientPipeInstance(VOID) { - TCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */ - HANDLE pipe = NULL; - PACL old_dacl, new_dacl; - PSECURITY_DESCRIPTOR sd; - static EXPLICIT_ACCESS ea[2]; - static BOOL initialized = FALSE; - DWORD flags = PIPE_ACCESS_DUPLEX | WRITE_DAC | FILE_FLAG_OVERLAPPED; + /* + * allow all access for local system + * deny FILE_CREATE_PIPE_INSTANCE for everyone + * allow read/write for authenticated users + * deny all access to anonymous + */ + const TCHAR *sddlString = TEXT("D:(A;OICI;GA;;;S-1-5-18)(D;OICI;0x4;;;S-1-1-0)(A;OICI;GRGW;;;S-1-5-11)(D;;GA;;;S-1-5-7)"); - if (!initialized) + PSECURITY_DESCRIPTOR sd = NULL; + if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddlString, SDDL_REVISION_1, &sd, NULL)) { - PSID everyone, anonymous; - - ConvertStringSidToSid(TEXT("S-1-1-0"), &everyone); - ConvertStringSidToSid(TEXT("S-1-5-7"), &anonymous); + MsgToEventLog(M_SYSERR, TEXT("ConvertStringSecurityDescriptorToSecurityDescriptor failed.")); + return INVALID_HANDLE_VALUE; + } - ea[0].grfAccessPermissions = FILE_GENERIC_WRITE; - ea[0].grfAccessMode = GRANT_ACCESS; - ea[0].grfInheritance = NO_INHERITANCE; - ea[0].Trustee.pMultipleTrustee = NULL; - ea[0].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; - ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; - ea[0].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; - ea[0].Trustee.ptstrName = (LPTSTR) everyone; + /* Set up SECURITY_ATTRIBUTES */ + SECURITY_ATTRIBUTES sa = {0}; + sa.nLength = sizeof(SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = sd; + sa.bInheritHandle = FALSE; - ea[1].grfAccessPermissions = 0; - ea[1].grfAccessMode = REVOKE_ACCESS; - ea[1].grfInheritance = NO_INHERITANCE; - ea[1].Trustee.pMultipleTrustee = NULL; - ea[1].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; - ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; - ea[1].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; - ea[1].Trustee.ptstrName = (LPTSTR) anonymous; + DWORD flags = PIPE_ACCESS_DUPLEX | WRITE_DAC | FILE_FLAG_OVERLAPPED; + static BOOL first = TRUE; + if (first) + { flags |= FILE_FLAG_FIRST_PIPE_INSTANCE; - initialized = TRUE; + first = FALSE; } + TCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */ openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance); - pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, - PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); + HANDLE pipe = CreateNamedPipe(pipe_name, flags, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, + PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, &sa); + + LocalFree(sd); + if (pipe == INVALID_HANDLE_VALUE) { MsgToEventLog(M_SYSERR, TEXT("Could not create named pipe")); return INVALID_HANDLE_VALUE; } - if (GetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, - NULL, NULL, &old_dacl, NULL, &sd) != ERROR_SUCCESS) - { - MsgToEventLog(M_SYSERR, TEXT("Could not get pipe security info")); - return CloseHandleEx(&pipe); - } - - if (SetEntriesInAcl(2, ea, old_dacl, &new_dacl) != ERROR_SUCCESS) - { - MsgToEventLog(M_SYSERR, TEXT("Could not set entries in new acl")); - return CloseHandleEx(&pipe); - } - - if (SetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, - NULL, NULL, new_dacl, NULL) != ERROR_SUCCESS) - { - MsgToEventLog(M_SYSERR, TEXT("Could not set pipe security info")); - return CloseHandleEx(&pipe); - } - return pipe; }