ui: drop permissions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-15 13:03:16 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-15 13:04:10 +0200
commit: c883f79c9cbe950c3b7bafb0be189b4d075f9f50 (patch)
tree: 4ee114995fcf5989ea5d494ae8e276e52ba668c3 /attacksurface.md
parent: service: move WTS upstream (diff)
download: wireguard-windows-c883f79c9cbe950c3b7bafb0be189b4d075f9f50.tar.xz
wireguard-windows-c883f79c9cbe950c3b7bafb0be189b4d075f9f50.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/attacksurface.md b/attacksurface.md
index f843cc75..f2b56d08 100644
--- a/attacksurface.md
+++ b/attacksurface.md
@@ -36,6 +36,7 @@ The manager service is a userspace service running as Local System, responsible
 The UI is a process running for each user who is in the Administrators group (per the above), running with the elevated high integrity linked token. It exposes:
 
   - Since the UI process is executed with an elevated token, it runs at high integrity and should be immune to various shatter attacks, modulo the great variety of clever bypasses in the latest Windows release.
+  - It uses `AdjustTokenPrivileges` to remove all privileges.
   - It renders highlighted config files to a msftedit.dll control, which typically is capable of all sorts of OLE and RTF nastiness that we make some attempt to avoid.
 
 ### Updates
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-15 13:03:16 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-15 13:04:10 +0200
commit	c883f79c9cbe950c3b7bafb0be189b4d075f9f50 (patch)
tree	4ee114995fcf5989ea5d494ae8e276e52ba668c3 /attacksurface.md
parent	service: move WTS upstream (diff)
download	wireguard-windows-c883f79c9cbe950c3b7bafb0be189b4d075f9f50.tar.xz wireguard-windows-c883f79c9cbe950c3b7bafb0be189b4d075f9f50.zip