From d3ec653cf5930298b52569fd0de0f2bdfd84b380 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Thu, 4 Feb 2016 23:19:59 -0500
Subject: [PATCH] Do not use interactive service if running as admin

Commit 791aea49e6cdab83c5ac9ca203104859a57f4260 cherry-picked from
master. Commit message altered to make it more relevant for this version.

Connecting to a named pipe server while running with admin rights is not
secure in some windows versions. Even if interactive service is not installed,
the GUI attempts to connect to the service pipe making it possible to exploit
this. Windows XP is known to be vulnerable. See also
http://nsylvain.blogspot.ca/2008/01/namedpipe-impersonation-attack.html

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 misc.c    | 26 ++++++++++++++++++++++++++
 misc.h    |  2 ++
 openvpn.c |  5 +++--
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/misc.c b/misc.c
index e21dd93..06ff1d4 100644
--- a/misc.c
+++ b/misc.c
@@ -190,3 +190,29 @@ ForceForegroundWindow(HWND hWnd)
 
     return ret;
 }
+
+/*
+ * Check user has admin rights
+ * Taken from https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx
+ * Returns true if the calling process token has the local Administrators group enabled
+ * in its SID.  Assumes the caller is not impersonating and has access to open its own 
+ * process token.
+ */
+BOOL IsUserAdmin(VOID)
+{
+    BOOL b;
+    SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
+    PSID AdministratorsGroup;
+
+    b = AllocateAndInitializeSid (&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
+                                  DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,
+                                  &AdministratorsGroup);
+    if(b)
+    {
+        if (!CheckTokenMembership(NULL, AdministratorsGroup, &b))
+            b = FALSE;
+        FreeSid(AdministratorsGroup);
+    }
+
+    return(b);
+}
diff --git a/misc.h b/misc.h
index 615ba73..8792755 100644
--- a/misc.h
+++ b/misc.h
@@ -30,4 +30,6 @@ BOOL streq(LPCSTR, LPCSTR);
 BOOL wcsbegins(LPCWSTR, LPCWSTR);
 
 BOOL ForceForegroundWindow(HWND);
+
+BOOL IsUserAdmin(VOID);
 #endif
diff --git a/openvpn.c b/openvpn.c
index 7ccf45f..213a189 100644
--- a/openvpn.c
+++ b/openvpn.c
@@ -692,10 +692,11 @@ StartOpenVPN(connection_t *c)
         (o.proxy_source != config ? _T("--management-query-proxy ") : _T("")));
 
     /* Try to open the service pipe */
-    service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"),
+    if (!IsUserAdmin())
+      service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"),
                 GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
 
-    if (service != INVALID_HANDLE_VALUE)
+    if (service && service != INVALID_HANDLE_VALUE)
     {
         DWORD size = _tcslen(c->config_dir) + _tcslen(options) + sizeof(c->manage.password) + 3;
         TCHAR startup_info[1024];