From patchwork Wed Jun 19 14:46:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 3739 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a501:b0:57d:b2cb:6cf with SMTP id hh1csp316264mab; Wed, 19 Jun 2024 07:47:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWmdH0xBPYINDwDIt1BJwIWg5DdagvB4ARlEFbUN1hhHdb1HgN7HtJvVet59FZpc7qrTkdxQ3XaCKFnkVvAzgWX4qkAvPg= X-Google-Smtp-Source: AGHT+IGK5JzrS3iN6t2+f3QWf9VZEqFqY3aXnFGZMztA5N5gOANneK8AY3Lv0e2YokB/cO1FKaZV X-Received: by 2002:a05:6a20:12d4:b0:1b7:571d:3d02 with SMTP id adf61e73a8af0-1bcbb8c4127mr2568284637.5.1718808473486; Wed, 19 Jun 2024 07:47:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718808473; cv=none; d=google.com; s=arc-20160816; b=tiJKAcxR61F28qMIXGIssRc3GoszCaTc/zC7vy8vrQIesdZgXW/qKd/roNubieGKRM HOJvVIHDI7Q/XYq/jCkbQ9V2dZzXndFITR1K0eNF7DxJaS7ri2YVmegPp+d5wW8FPeoi b5W4g1BioierGG7ZTNGzlJh7Tx022DA/aq4cq5SD3/JJA1d8EQz1GYiYOIzLJQdvXacE Ij4hDmBtAixmMilBIDu8tubynJu6LfQRr/Aqh7kUYRxuIR2wklSrjN1/WADYd09ZZ9xy /cC4rNF9AfBAWUoxaBDvJaT1dKfawKXwhe0UW6t9rPDczmXPF9sUIJYCwJUCZchnOyyK Wi8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=+i+2mXoJfTStcVGTMYDrZXdEex92IxZt9wju1zyMd6w=; fh=ZRBZ3p4fvLYBwsG7McdxRCx2fnmH9YCsPK+JAqT+6LA=; b=hNVYcirLyjan5PH5Npz6y/OfLf4gcU/zJ/3Ftzyxt7O/nGa+Iegf96lozum4Oj/cwc xlRvUhMqxfpWKdNd8xBI8CRdK+ooE+kxr/cj85QQtMFXFGLStU2aNj/ZfamzjsBPM2gm eLhOtSwuJXOQDgO2/CA+z0AU3yIFqV3+8icFm/fJLkT7kTqJepKaeCYAL8QVikd0nPR9 sgWbe0T+2FEDgBm2IYn8rlMCqnF33FjdrqqK77GNj8wEZVHYROGhiVQFEVdSob/MKNS5 +wOe/H6XpHOVuO41FH5EgKfnM01AYkw9Bn2StO7VE7E6OsC5vB79DeJaDsREiZ38K8ID zTXw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GiRrwKVT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ToGUEWrC; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=gs6h0Dpy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-6fede8235a6si12303340a12.203.2024.06.19.07.47.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Jun 2024 07:47:53 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GiRrwKVT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ToGUEWrC; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=gs6h0Dpy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sJwax-0001AC-L4; Wed, 19 Jun 2024 14:47:32 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sJwat-0001A4-VW for openvpn-devel@lists.sourceforge.net; Wed, 19 Jun 2024 14:47:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/EAC/bSDRMNoAz1OqzcgkJbNI4E1BlPmwZmt0pT/0ms=; b=GiRrwKVTEi4qo8Xz2jHuo4dWup bP9M93o9oie/HzuR6MxW0SrKD2mtw4ehKVBoH6vvThHPst7UJTvrITFFHmDNVhScFh4dXa3WCuFDv ZdimLrqyhbxL89mcjcf9Y15ZWL6E+ZGHktjRRJCbqV1uvSekQUmswyGu7RUK1vOQVUso=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/EAC/bSDRMNoAz1OqzcgkJbNI4E1BlPmwZmt0pT/0ms=; b=ToGUEWrCGTuahvNmViP1E6Fa9D n9Cd4oaGxp5I18E/ttE/d+KWRhQBChRoUaOmHWrwZMjWa3uWkw8JLj0PthXscUaVMs7LSq/PRzMba YcbCzurQeuiSHgN2CwCWk7uBGk4bOrYMONsv1/RitoKzBzuHYjPIQ/h0QDSMq68EhGMc=; Received: from mail-lj1-f180.google.com ([209.85.208.180]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sJwav-00083R-2O for openvpn-devel@lists.sourceforge.net; Wed, 19 Jun 2024 14:47:29 +0000 Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2ec1ac1aed2so55427051fa.3 for ; Wed, 19 Jun 2024 07:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718808436; x=1719413236; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/EAC/bSDRMNoAz1OqzcgkJbNI4E1BlPmwZmt0pT/0ms=; b=gs6h0Dpy7lILV/I2c7z0nsH6Zshjrh5TDjdeXyX5s4NdbfxARJZIDvYfcI/hNTTlfh hdJLXsbwOAYRG8rVcGT2FcmCiUdXg60i04lEt95NUyEb8ZXPiWLktgeFnK8cwWuf0xG5 2aGUpJTGeqd1Ty78+eaTztl703lWvzwZy4YrU0oREStXZ9xYwUUcO7jFjs8u9Ov6LixF cSD2uRflssGyrabA0JFiqVo9iyDRz53Uec6WaHCBLXVXeAMIWZ/oJVQK+AVlShdUKRIs HjUumYJgSXmBWYnxU9qFCVtxAhw8sYc+7K5ziVBrkAQz9ir6hjq7W59DCTLBgTdnuw4L AE+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718808436; x=1719413236; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/EAC/bSDRMNoAz1OqzcgkJbNI4E1BlPmwZmt0pT/0ms=; b=YLlxYoKrVeoPAqsL9dqBclJijObXTpfrd5TcQFXCc2Jdi35lPx291l5fScVt0T6Vtr VT3pmy8zYELxbUeO3Fee+oUIfweX0v48lPdR9r3L/mpNy2UWefYR2fZRK5exnrWZRctx C+uMV3qxrH/5kYiciieyqbL8hisJAbWx6AGUhVAgkU6wQeoBnDVNi62z1+FEfNp23DAl zxKscj+MHeWtsiMTJxD/+NUddvjxFOlOLk6K7lAyOQE60mhcDJq3d/v9TcJ0nfw0waa9 qTi1jbU1OVE0sYIYw/svsnK59Dvl6Jz/P+shm3iTsZNy1kTWYlhVBSgBsYObs/eNJC+8 lrHg== X-Gm-Message-State: AOJu0YytXk6RkGdWN8PWl69gN+2rKO9DMQaJ4EmQEtDeRWG7mpj2t3Fg p16UYaroI/I0MNItXEbhE2hODakGn7yy4mRYKnQU+BicQKQGM1neSwYFNw== X-Received: by 2002:a2e:860e:0:b0:2d8:67a0:61b2 with SMTP id 38308e7fff4ca-2ec3cec62e3mr17106001fa.20.1718808436033; Wed, 19 Jun 2024 07:47:16 -0700 (PDT) Received: from localhost.localdomain (drtqwfyjtmxl6t-ycs29t-3.rev.dnainternet.fi. [2001:14ba:741b:2200:f054:d3a8:7c02:7dbb]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-2ec05c17ba8sm19987351fa.72.2024.06.19.07.47.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jun 2024 07:47:15 -0700 (PDT) From: Lev Stipakov X-Google-Original-From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Wed, 19 Jun 2024 17:46:08 +0300 Message-ID: <20240619144629.1718-2-lev@openvpn.net> X-Mailer: git-send-email 2.42.0.windows.2 In-Reply-To: <20240619134451.222-1-lev@openvpn.net> References: <20240619134451.222-1-lev@openvpn.net> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: At the moment everyone but anonymous are permitted to create a pipe with the same name as interactive service creates, which makes it possible for malicious process with SeImpersonatePrivilege imperso [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.180 listed in wl.mailspike.net] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.180 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.180 listed in sa-accredit.habeas.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1sJwav-00083R-2O Subject: [Openvpn-devel] [PATCH v3] interactive.c: Improve access control for gui<->service pipe X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1802297430085499668?= X-GMAIL-MSGID: =?utf-8?q?1802301313523526343?= At the moment everyone but anonymous are permitted to create a pipe with the same name as interactive service creates, which makes it possible for malicious process with SeImpersonatePrivilege impersonate as local user. This hardens the security of the pipe, making it possible only for processes running as SYSTEM (such as interactive service) create the pipe with the same name. While on it, replace EXPLICIT_ACCESS structures with SDDL string. CVE: 2024-4877 Change-Id: I35e783b79a332d247606e05a39e41b4d35d39b5d Reported by: Zeze with TeamT5 Signed-off-by: Lev Stipakov Acked-by: Selva Nair --- v3: - rebase on top of master (replace openvpn_snprintf with snprintf) v2: - ensure that sd is freed even if pipe creation failed - added Reported-By src/openvpnserv/interactive.c | 81 +++++++++++++---------------------- 1 file changed, 29 insertions(+), 52 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 294db00a..f06802de 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2140,73 +2140,50 @@ ServiceCtrlInteractive(DWORD ctrl_code, DWORD event, LPVOID data, LPVOID ctx) static HANDLE CreateClientPipeInstance(VOID) { - TCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */ - HANDLE pipe = NULL; - PACL old_dacl, new_dacl; - PSECURITY_DESCRIPTOR sd; - static EXPLICIT_ACCESS ea[2]; - static BOOL initialized = FALSE; - DWORD flags = PIPE_ACCESS_DUPLEX | WRITE_DAC | FILE_FLAG_OVERLAPPED; + /* + * allow all access for local system + * deny FILE_CREATE_PIPE_INSTANCE for everyone + * allow read/write for authenticated users + * deny all access to anonymous + */ + const TCHAR *sddlString = TEXT("D:(A;OICI;GA;;;S-1-5-18)(D;OICI;0x4;;;S-1-1-0)(A;OICI;GRGW;;;S-1-5-11)(D;;GA;;;S-1-5-7)"); - if (!initialized) + PSECURITY_DESCRIPTOR sd = NULL; + if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddlString, SDDL_REVISION_1, &sd, NULL)) { - PSID everyone, anonymous; - - ConvertStringSidToSid(TEXT("S-1-1-0"), &everyone); - ConvertStringSidToSid(TEXT("S-1-5-7"), &anonymous); + MsgToEventLog(M_SYSERR, TEXT("ConvertStringSecurityDescriptorToSecurityDescriptor failed.")); + return INVALID_HANDLE_VALUE; + } - ea[0].grfAccessPermissions = FILE_GENERIC_WRITE; - ea[0].grfAccessMode = GRANT_ACCESS; - ea[0].grfInheritance = NO_INHERITANCE; - ea[0].Trustee.pMultipleTrustee = NULL; - ea[0].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; - ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; - ea[0].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; - ea[0].Trustee.ptstrName = (LPTSTR) everyone; + /* Set up SECURITY_ATTRIBUTES */ + SECURITY_ATTRIBUTES sa = {0}; + sa.nLength = sizeof(SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = sd; + sa.bInheritHandle = FALSE; - ea[1].grfAccessPermissions = 0; - ea[1].grfAccessMode = REVOKE_ACCESS; - ea[1].grfInheritance = NO_INHERITANCE; - ea[1].Trustee.pMultipleTrustee = NULL; - ea[1].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; - ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; - ea[1].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; - ea[1].Trustee.ptstrName = (LPTSTR) anonymous; + DWORD flags = PIPE_ACCESS_DUPLEX | WRITE_DAC | FILE_FLAG_OVERLAPPED; + static BOOL first = TRUE; + if (first) + { flags |= FILE_FLAG_FIRST_PIPE_INSTANCE; - initialized = TRUE; + first = FALSE; } + TCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */ swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance); - pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, - PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); + HANDLE pipe = CreateNamedPipe(pipe_name, flags, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, + PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, &sa); + + LocalFree(sd); + if (pipe == INVALID_HANDLE_VALUE) { MsgToEventLog(M_SYSERR, TEXT("Could not create named pipe")); return INVALID_HANDLE_VALUE; } - if (GetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, - NULL, NULL, &old_dacl, NULL, &sd) != ERROR_SUCCESS) - { - MsgToEventLog(M_SYSERR, TEXT("Could not get pipe security info")); - return CloseHandleEx(&pipe); - } - - if (SetEntriesInAcl(2, ea, old_dacl, &new_dacl) != ERROR_SUCCESS) - { - MsgToEventLog(M_SYSERR, TEXT("Could not set entries in new acl")); - return CloseHandleEx(&pipe); - } - - if (SetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, - NULL, NULL, new_dacl, NULL) != ERROR_SUCCESS) - { - MsgToEventLog(M_SYSERR, TEXT("Could not set pipe security info")); - return CloseHandleEx(&pipe); - } - return pipe; }