|author||Jason A. Donenfeld <Jason@zx2c4.com>||2019-08-29 18:36:19 -0600|
|committer||Jason A. Donenfeld <Jason@zx2c4.com>||2019-08-31 07:53:46 -0600|
|parent||manager: delay stale adapter cleanup (diff)|
attacksurface: update mention of prefixes and namespaces
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'attacksurface.md')
1 files changed, 2 insertions, 1 deletions
diff --git a/attacksurface.md b/attacksurface.md
index 7b1f16ae..ad37ddad 100644
@@ -16,7 +16,8 @@ Wintun is a kernel driver. It exposes:
The tunnel service is a userspace service running as Local System, responsible for creating UDP sockets, creating Wintun adapters, and speaking the WireGuard protocol between the two. It exposes:
- - A listening pipe in `\\.\pipe\WireGuard\%s`, where `%s` is some basename of an already valid filename. Its permissions are set to `O:SYD:(A;;GA;;;SY)`, which presumably means only the "Local System" user can access it and do things, but it might be worth double checking that. This pipe gives access to private keys and allows for reconfiguration of the interface, as well as rebinding to different ports (below 1024, even).
+ - A listening pipe in `\\.\pipe\ProtectedPrefix\Administrators\WireGuard\%s`, where `%s` is some basename of an already valid filename. Its DACL is set to `O:SYD:(A;;GA;;;SY)`. This pipe gives access to private keys and allows for reconfiguration of the interface, as well as rebinding to different ports (below 1024, even). Clients who connect to the pipe run `GetSecurityInfo` to verify that it is owned by "Local System".
+ - A global mutex is used for Wintun interface creation, with the same DACL as the pipe, but first CreatePrivateNamespace is called with a "Local System" SID.
- It handles data from its two UDP sockets, accessible to the public Internet.
- It handles data from Wintun, accessible to all users who can do anything with the network stack.
- After some initial setup, it uses `AdjustTokenPrivileges` to remove all privileges, except for `SeLoadDriverPrivilege`, so that it can remove the interface when shutting down. This latter point is rather unfortunate, as `SeLoadDriverPrivilege` can be used for all sorts of interesting escalation. Future work includes forking an additional process or the like so that we can drop this from the main tunnel process.