github
/
openvpn-gui
mirror of https://github.com/OpenVPN/openvpn-gui
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Do not use interactive service if running as admin 

Commit 791aea49e6 cherry-picked from
master. Commit message altered to make it more relevant for this version.

Connecting to a named pipe server while running with admin rights is not
secure in some windows versions. Even if interactive service is not installed,
the GUI attempts to connect to the service pipe making it possible to exploit
this. Windows XP is known to be vulnerable. See also
http://nsylvain.blogspot.ca/2008/01/namedpipe-impersonation-attack.html

Signed-off-by: Selva Nair <selva.nair@gmail.com>
pull/22/head
Selva Nair 9 years ago
parent
ac2d8a23c6
commit
d3ec653cf5
3 changed files with 31 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 26
      misc.c
  2. 2
      misc.h
  3. 3
      openvpn.c

26
misc.c
Unescape View File

@ -190,3 +190,29 @@ ForceForegroundWindow(HWND hWnd)
return ret;
}
/*
* Check user has admin rights
* Taken from https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx
* Returns true if the calling process token has the local Administrators group enabled
* in its SID. Assumes the caller is not impersonating and has access to open its own
* process token.
*/
BOOL IsUserAdmin(VOID)
{
BOOL b;
SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
PSID AdministratorsGroup;
b = AllocateAndInitializeSid (&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,
&AdministratorsGroup);
if(b)
{
if (!CheckTokenMembership(NULL, AdministratorsGroup, &b))
b = FALSE;
FreeSid(AdministratorsGroup);
}
return(b);
}

2
misc.h
Unescape View File

@ -30,4 +30,6 @@ BOOL streq(LPCSTR, LPCSTR);
BOOL wcsbegins(LPCWSTR, LPCWSTR);
BOOL ForceForegroundWindow(HWND);
BOOL IsUserAdmin(VOID);
#endif

3
openvpn.c
Unescape View File

@ -692,10 +692,11 @@ StartOpenVPN(connection_t *c)
(o.proxy_source != config ? _T("--management-query-proxy ") : _T("")));
/* Try to open the service pipe */
if (!IsUserAdmin())
service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"),
GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (service != INVALID_HANDLE_VALUE)
if (service && service != INVALID_HANDLE_VALUE)
{
DWORD size = _tcslen(c->config_dir) + _tcslen(options) + sizeof(c->manage.password) + 3;
TCHAR startup_info[1024];

Write Preview
Loading…
Cancel
Save