If an attacker with SeImeprsonatePrivilege manages to create a
namedpipe server with a name matching that used by the "Interactive
Service", the GUI connecting to it could allow the attacker to
impersonate the GUI user.
Fix by validating the service pipe by comparing the pid of the pipe
server with that of the "Interactive Service".
Note: GetNamedPipeServerProcessId() returns the pid of the process
that created the first instance of the pipe. So, this patch only
guards against a rogue pipe instance created before the service
has started. This has to work in combination with a patch for the
service that disallows creation of additional pipe instances when
the service is running.
CVE: CVE-2024-4877
Reported by: Zeze with TeamT5 <zeze7w@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
CheckServiceStatus() return value is never used - the status
is set to global options_t struct.
While on it, remove unneccessary "false" argument
and reformat the code.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Connection profiles shown on the login screen using PLAP
requires automatic service that starts openvpn.exe
processes for these profiles.
This commit adds an attempt to start the service from
PLAP dll. The service is started only if any PLAP enabled
profiles are found.
As starting the service can spawn up OpenVPN.exe processes and
the GUI may attach to them, auto-connect in the GUI is
suspended during session lock to leave the connections free to
be controlled from PLAP screen.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Remove service-only mode (start/stop service) which has not been in
use since we moved to running the GUI as limited user.
Also its not very useful as it does not allow any control of
service-started daemons
- Keep CheckServiceStatus and always check the status of
automatic service.
The status of the service will be used to toggle supporting
control of persistent connections started by the service.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When a connection is attempted using a config in a location
that would fail, offer an option to add the user to the "OpenVPN
Administrators" group. This is done using shell-execute which will
show a UAC prompt for elevation. If it fails (due to user chooses
NO or the UAC dialog fails) the connection is not started.
v2 Changes
- Rebase to master
- Automaticlaly add the admin group if it doesn't exist
- Allow unicode strings in debug output
- Use domain\username to identify user
- Fix the PrintDebug macro
Minor changes based on user feedback
- Bring the window back to foreground after UAC prompt completion
- Show a message if another connection is tried during authorization
- Do not add user to ovpn_admin_group if it is same as the built-in admin group
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Set default config directory (config_dir) to %UserProfile%\OpenVPN\config
(saved and read back from HKCU\Software\OpenVPN-GUI\config_dir)
- Add a global_config_dir variable read from HKLM\Software\OpenVPN\config_dir
or set to OpenVPN-install-path\config
- Scan both directories and their sub directories for connection profiles.
In case of name conflicts config_dir gets priority over global_config_dir
- Eliminate multiple warnings of duplicate configs
Fixed on review (Thanks to leobasilio@gmail.com)
- Fix wrongly used o.config_dir in 2 locations
- Unrelated: Added missing CheckIServiceStatus to service.h
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Selva Nair