From patchwork Thu Sep 18 17:34:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4425 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8049:b0:72f:f16c:e055 with SMTP id m9csp234194maf; Thu, 18 Sep 2025 10:35:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX57ke7AFbOe5f8W1TI7unzmsfkEVTmXOw2wXiehK13KPbu1fEwS3Qsb9P+pr0o2UZzI4bSRczh9hs=@openvpn.net X-Google-Smtp-Source: AGHT+IH0epsLgLeqgwikKuCe2eHA9DfDxRwRTyCBIoy2z/0Q5eYgIIpSb8H3/Fl8PwlAIbOBebqt X-Received: by 2002:a05:6870:c6aa:b0:315:b768:99eb with SMTP id 586e51a60fabf-33bb5b79e9dmr307722fac.30.1758216900437; Thu, 18 Sep 2025 10:35:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758216900; cv=none; d=google.com; s=arc-20240605; b=MM7qU3SyJclziysecDQzlH9ZOiaJXc+J3aPwj0V8bkNnZYnHMrmbkIG+8J098cKGkU z1+eH6dSNo8rpmk37Ug6uwQcI0aW/+edgEqJaPP8MqjNVZpJCClf0pMeSZJp1oD2nZJG SJB7SVXKYsTsWI4HAwFHyQH09G6MT5tkJJCAG8AHitvdiSMRp5UnbGjJ8+6dA4+KWWcf vRFUKnYe0GSkQIrFxm5q5djWkCcIQYM8QJdUrLcqTdZakOEZyN20SABWFnvSgAvcM8aQ GXTacpniWluRm+T3lG+kc1YBisA0a8gJ4Rek0rsXtORNFECXKKQHrGMb5GRX6cGgHOUW RkHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=u8SRxs/5W51c01q5oQwIaY1s4vwrDay3/fLhByHtSjo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=KbVy/vcACV6gqBT/vYyala59I4g4KYora0F9Vug3+oF/Ma4LWVKgm0XgFrApnSdDlf 0pnEBU7TuhxwpGDPKes6NHWotnMxfc4syG+vXl3CnPtkceTG+5Bh4AwNt4PAPyBx0yFS Fr1NjwDChJVVTBAen/7ebm3ghUTsSoXAk2td0AOJwylYwKZ2inA3jh99wADLHx2I1mEz u/2+lK3VEC0vGuSC4b6T+6JVrKAxih8uGB1jhFuu9tWNJiHX6nSyPdYCcFRoU8cVPzZT nTKVfo5PqiiE1Xpi853nIgFArFLUf08zoFRIx9dAxQsOnYi2/By6X4FQi68B81pRRBcs 5iPg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ft3IUEM0; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RXChhHgK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=HiJlotqb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-336e6796106si970201fac.236.2025.09.18.10.35.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Sep 2025 10:35:00 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ft3IUEM0; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RXChhHgK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=HiJlotqb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=u8SRxs/5W51c01q5oQwIaY1s4vwrDay3/fLhByHtSjo=; b=ft3IUEM0IaWCCqYQ99NluvPVHs p0KQH5pOVQxXKD/DOFwoZ/CKdZvcl4RGLKsLUrtaGSfhN+eQpyUj6BMvUbBpgNJtZH2F4CMDD2w2g sFW9K548Ie3X2LMY5MscXysZmLcIENSZBmy3ixUs5a4epinXG6w31xY4IlEy/RfQ9DxM=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uzIX4-0003Rk-7f; Thu, 18 Sep 2025 17:34:58 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uzIX2-0003Rd-SY for openvpn-devel@lists.sourceforge.net; Thu, 18 Sep 2025 17:34:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+y6Ar5RVBGnJFmAUT8XYlSAQ9EFO0NiD5YWMvQ4LcOM=; b=RXChhHgKbV42+4B9JiOnGuLIg6 OTh9qHMSxSukiKlyUhKAzctdQOv6iREOOkYxnOkgoik9YCls5/G88jaZ1kWXKV0KUQVKiU8iG6Bp/ 7LX9BYMGUYV0Cq5PFwydRZBPGb3ENORxF5N1vDRsjvAn/VqfHl4qiyMb4AeN1DmiUZ5E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+y6Ar5RVBGnJFmAUT8XYlSAQ9EFO0NiD5YWMvQ4LcOM=; b=HiJlotqbEq4W+Yf0/wkwD2zFLa ttD3D2R92dkdFb1v52J39PKHzYJYCvKrgr3JBloh7MGYQVNJmZwuJBzLrpfOUC2a8LM7O8BNcAcAL nAcaJJJz3ZxaHhIXog/EKJto/lgynMaW7a6pB3CaiL6jU+fHz/19078t0SrLX67sfnGg=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uzIX1-00069l-CA for openvpn-devel@lists.sourceforge.net; Thu, 18 Sep 2025 17:34:56 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 58IHYm9Y032485 for ; Thu, 18 Sep 2025 19:34:48 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 58IHYmww032484 for openvpn-devel@lists.sourceforge.net; Thu, 18 Sep 2025 19:34:48 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 18 Sep 2025 19:34:40 +0200 Message-ID: <20250918173447.32466-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Starting from commit d383d6e ("win: replace wmic invocation with powershell") Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URI: openvpn.net] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uzIX1-00069l-CA Subject: [Openvpn-devel] [PATCH v1] Validate DNS domain name before powershell invocation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1843624044331605594?= X-GMAIL-MSGID: =?utf-8?q?1843624044331605594?= From: Lev Stipakov Starting from commit d383d6e ("win: replace wmic invocation with powershell") we pass --dhcp-option DOMAIN value to a powershell command to set DNS domain. Without validation this opens the door to a command injection atack. This only allows domain names with chartacters: [A-Za-z0-9.-_\x80-\0xff] Change-Id: I7a57d7b4e84aa2b9c9e71e30520ed468b0e3c278 Signed-off-by: Lev Stipakov Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1198 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1198 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/domain_helper.h b/src/openvpn/domain_helper.h new file mode 100644 index 0000000..f1ecf86 --- /dev/null +++ b/src/openvpn/domain_helper.h @@ -0,0 +1,45 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2025 Lev Stipakov + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +static inline bool +is_allowed_domain_ascii(unsigned char c) +{ + return (c >= 'A' && c <= 'Z') + || (c >= 'a' && c <= 'z') + || (c >= '0' && c <= '9') + || c == '.' || c == '-' || c == '_' || c >= 0x80; +} + +static inline bool +validate_domain(const char *domain) +{ + for (const char *ch = domain; *ch; ++ch) + { + if (!is_allowed_domain_ascii((unsigned char)*ch)) + { + return false; + } + } + + return true; +} diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 99dc490..2784941 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -46,6 +46,7 @@ #include "win32.h" #include "block_dns.h" #include "networking.h" +#include "domain_helper.h" #include "memdbg.h" @@ -390,6 +391,12 @@ return; } + if (add && !validate_domain(tt->options.domain)) + { + msg(M_WARN, "Failed to set DNS domain '%s' because it contains invalid characters", tt->options.domain); + return; + } + struct argv argv = argv_new(); argv_printf(&argv, "%s%s -NoProfile -NonInteractive -Command Set-DnsClient -InterfaceIndex %lu -ConnectionSpecificSuffix '%s'", diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index ca58596..c12d34f 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -40,6 +40,7 @@ #include "validate.h" #include "block_dns.h" #include "ring_buffer.h" +#include "domain_helper.h" #define IO_TIMEOUT 2000 /*ms*/ @@ -1216,6 +1217,12 @@ { NET_IFINDEX if_index; + if (!validate_domain(domain)) + { + MsgToEventLog(MSG_FLAGS_ERROR, TEXT("Failed to set DNS domain '%hs' because it contains invalid characters"), domain); + return ERROR_INVALID_DATA; + } + DWORD err = ConvertInterfaceNameToIndex(if_name, &if_index); if (err != ERROR_SUCCESS) {