diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-04-05 14:01:21 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-04-05 14:01:21 +0200 |
| commit | 4b9cb6e86538cf8df0d464518d6413f3fc6d8322 (patch) | |
| tree | 92096c6a7a4eb82d7ac14d7d590026bbc7f387bb /attacksurface.md | |
| parent | ui: lock to OS thread (diff) | |
| download | wireguard-windows-4b9cb6e86538cf8df0d464518d6413f3fc6d8322.tar.xz wireguard-windows-4b9cb6e86538cf8df0d464518d6413f3fc6d8322.zip | |
service: use WireGuardTunnel$ prefix
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
| -rw-r--r-- | attacksurface.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/attacksurface.md b/attacksurface.md index 20d29afb..5b545393 100644 --- a/attacksurface.md +++ b/attacksurface.md @@ -27,7 +27,7 @@ The manager service is a userspace service running as Local System, responsible - Extensive IPC using unnamed pipes, inherited by the unprivileged UI process. - A writable `CreateFileMapping` handle to a binary ringlog shared by all services, inherited by the unprivileged UI process. It's unclear if this brings with it surprising hidden attack surface in the mm system. - - It listens for service changes in tunnel services according to the string prefix "WireGuard Tunnel: ". + - It listens for service changes in tunnel services according to the string prefix "WireGuardTunnel$". - It manages DPAPI-encrypted configuration files in Local System's local appdata directory, and makes some effort to enforce good configuration filenames. - It uses `wtsEnumerateSessions` and `WTSSESSION_NOTIFICATION` to walk through each available session. It then uses `wtfQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, then it spawns the unprivileged UI process as that user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as descried above. |