aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/attacksurface.md
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2019-05-13 11:32:51 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2019-05-13 14:21:38 +0200
commit8adbb0d5125a13121257d545bc5def0b3b17b488 (patch)
treeb5e24df4ae181df9912fa7a0f77c176fff4b4a3f /attacksurface.md
parentui: show taskbar progress (diff)
downloadwireguard-windows-8adbb0d5125a13121257d545bc5def0b3b17b488.tar.xz
wireguard-windows-8adbb0d5125a13121257d545bc5def0b3b17b488.zip
service: use more standard naming scheme for syscalls
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'attacksurface.md')
-rw-r--r--attacksurface.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/attacksurface.md b/attacksurface.md
index 8010d7b0..7b960dba 100644
--- a/attacksurface.md
+++ b/attacksurface.md
@@ -29,7 +29,7 @@ The manager service is a userspace service running as Local System, responsible
- A writable `CreateFileMapping` handle to a binary ringlog shared by all services, inherited by the unprivileged UI process. It's unclear if this brings with it surprising hidden attack surface in the mm system.
- It listens for service changes in tunnel services according to the string prefix "WireGuardTunnel$".
- It manages DPAPI-encrypted configuration files in Local System's local appdata directory, and makes some effort to enforce good configuration filenames.
- - It uses `wtsEnumerateSessions` and `WTSSESSION_NOTIFICATION` to walk through each available session. It then uses `wtfQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, and has attributes of either `SE_GROUP_ENABLED` or `SE_GROUP_USE_FOR_DENY_ONLY` and calling `GetTokenInformation(TokenElevation)` on it or its `TokenLinkedToken` indicates that either is elevated, then it spawns the UI process as that the elevated user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as descried above.
+ - It uses `WTSEnumerateSessions` and `WTS_SESSION_NOTIFICATION` to walk through each available session. It then uses `WTSQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, and has attributes of either `SE_GROUP_ENABLED` or `SE_GROUP_USE_FOR_DENY_ONLY` and calling `GetTokenInformation(TokenElevation)` on it or its `TokenLinkedToken` indicates that either is elevated, then it spawns the UI process as that the elevated user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as descried above.
### UI