From 4b9cb6e86538cf8df0d464518d6413f3fc6d8322 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 5 Apr 2019 14:01:21 +0200 Subject: service: use WireGuardTunnel$ prefix Signed-off-by: Jason A. Donenfeld --- attacksurface.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'attacksurface.md') diff --git a/attacksurface.md b/attacksurface.md index 20d29afb..5b545393 100644 --- a/attacksurface.md +++ b/attacksurface.md @@ -27,7 +27,7 @@ The manager service is a userspace service running as Local System, responsible - Extensive IPC using unnamed pipes, inherited by the unprivileged UI process. - A writable `CreateFileMapping` handle to a binary ringlog shared by all services, inherited by the unprivileged UI process. It's unclear if this brings with it surprising hidden attack surface in the mm system. - - It listens for service changes in tunnel services according to the string prefix "WireGuard Tunnel: ". + - It listens for service changes in tunnel services according to the string prefix "WireGuardTunnel$". - It manages DPAPI-encrypted configuration files in Local System's local appdata directory, and makes some effort to enforce good configuration filenames. - It uses `wtsEnumerateSessions` and `WTSSESSION_NOTIFICATION` to walk through each available session. It then uses `wtfQueryUserToken`, and then calls `GetTokenInformation(TokenGroups)` on it. If one of the returned group's SIDs matches `CreateWellKnownSid(WinBuiltinAdministratorsSid)`, then it spawns the unprivileged UI process as that user token, passing it three unnamed pipe handles for IPC and the log mapping handle, as descried above. -- cgit v1.2.3-59-g8ed1b