|author||Jason A. Donenfeld <Jason@zx2c4.com>||2020-11-10 17:17:34 +0100|
|committer||Jason A. Donenfeld <Jason@zx2c4.com>||2020-11-16 19:03:37 +0100|
|parent||fetcher: introduce downloader utility (diff)|
conf: move configuration to C:\Program Files\WireGuard\Data
It doesn't get wiped out on Windows upgrades. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'attacksurface.md')
1 files changed, 1 insertions, 1 deletions
diff --git a/attacksurface.md b/attacksurface.md
index 24fdbe02..7a4ff7d1 100644
@@ -29,7 +29,7 @@ The manager service is a userspace service running as Local System, responsible
- Extensive IPC using unnamed pipes, inherited by the UI process.
- A readable `CreateFileMapping` handle to a binary ringlog shared by all services, inherited by the UI process.
- It listens for service changes in tunnel services according to the string prefix "WireGuardTunnel$".
- - It manages DPAPI-encrypted configuration files in Local System's local appdata directory, and makes some effort to enforce good configuration filenames.
+ - It manages DPAPI-encrypted configuration files in `C:\Program Files\WireGuard\Data`, which is created with `O:SYG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FR;;;BA)`, and makes some effort to enforce good configuration filenames.
- It uses `WTSEnumerateSessions` and `WTSSESSION_NOTIFICATION` to walk through each available session. It then uses `WTSQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `IsWellKnownSid(WinBuiltinAdministratorsSid)`, and has attributes of either `SE_GROUP_ENABLED` or `SE_GROUP_USE_FOR_DENY_ONLY` and calling `GetTokenInformation(TokenElevation)` on it or its `TokenLinkedToken` indicates that either is elevated, then it spawns the UI process as that the elevated user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as described above.