Do not use interactive service if running as admin

Commit 791aea49e6 cherry-picked from master. Commit message altered to make it more relevant for this version. Connecting to a named pipe server while running with admin rights is not secure in some windows versions. Even if interactive service is not installed, the GUI attempts to connect to the service pipe making it possible to exploit this. Windows XP is known to be vulnerable. See also http://nsylvain.blogspot.ca/2008/01/namedpipe-impersonation-attack.html Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago · d3ec653cf5
3 changed files with 31 additions and 2 deletions
--- a/misc.c
+++ b/misc.c
@ -190,3 +190,29 @@ ForceForegroundWindow(HWND hWnd)

    return ret;
 }
+
+/*
+ * Check user has admin rights
+ * Taken from https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx
+ * Returns true if the calling process token has the local Administrators group enabled
+ * in its SID.  Assumes the caller is not impersonating and has access to open its own 
+ * process token.
+ */
+BOOL IsUserAdmin(VOID)
+{
+    BOOL b;
+    SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
+    PSID AdministratorsGroup;
+
+    b = AllocateAndInitializeSid (&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
+                                  DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,
+                                  &AdministratorsGroup);
+    if(b)
+    {
+        if (!CheckTokenMembership(NULL, AdministratorsGroup, &b))
+            b = FALSE;
+        FreeSid(AdministratorsGroup);
+    }
+
+    return(b);
+}
--- a/misc.h
+++ b/misc.h
@ -30,4 +30,6 @@ BOOL streq(LPCSTR, LPCSTR);
 BOOL wcsbegins(LPCWSTR, LPCWSTR);

 BOOL ForceForegroundWindow(HWND);
+
+BOOL IsUserAdmin(VOID);
 #endif
--- a/openvpn.c
+++ b/openvpn.c
@ -692,10 +692,11 @@ StartOpenVPN(connection_t *c)
        (o.proxy_source != config ? _T("--management-query-proxy ") : _T("")));

    /* Try to open the service pipe */
-    service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"),
+    if (!IsUserAdmin())
+      service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"),
                GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);

-    if (service != INVALID_HANDLE_VALUE)
+    if (service && service != INVALID_HANDLE_VALUE)
    {
        DWORD size = _tcslen(c->config_dir) + _tcslen(options) + sizeof(c->manage.password) + 3;
        TCHAR startup_info[1024];