|author||Jason A. Donenfeld <Jason@zx2c4.com>||2019-04-05 14:01:21 +0200|
|committer||Jason A. Donenfeld <Jason@zx2c4.com>||2019-04-05 14:01:21 +0200|
|parent||ui: lock to OS thread (diff)|
service: use WireGuardTunnel$ prefix
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'attacksurface.md')
1 files changed, 1 insertions, 1 deletions
diff --git a/attacksurface.md b/attacksurface.md
index 20d29afb..5b545393 100644
@@ -27,7 +27,7 @@ The manager service is a userspace service running as Local System, responsible
- Extensive IPC using unnamed pipes, inherited by the unprivileged UI process.
- A writable `CreateFileMapping` handle to a binary ringlog shared by all services, inherited by the unprivileged UI process. It's unclear if this brings with it surprising hidden attack surface in the mm system.
- - It listens for service changes in tunnel services according to the string prefix "WireGuard Tunnel: ".
+ - It listens for service changes in tunnel services according to the string prefix "WireGuardTunnel$".
- It manages DPAPI-encrypted configuration files in Local System's local appdata directory, and makes some effort to enforce good configuration filenames.
- It uses `wtsEnumerateSessions` and `WTSSESSION_NOTIFICATION` to walk through each available session. It then uses `wtfQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, then it spawns the unprivileged UI process as that user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as descried above.