diff options
| author | James Yonan <james@openvpn.net> | 2010-08-15 21:53:00 +0000 |
|---|---|---|
| committer | James Yonan <james@openvpn.net> | 2010-08-15 21:53:00 +0000 |
| commit | 4f79d3ec453e8bc2621a847121b0086e0e86b165 (patch) | |
| tree | 7af6d8d74b22053e1a818cde5bca72983ddb3d76 /service-win32 | |
| parent | Added warning about tls-remote in man page. (diff) | |
| download | openvpn-4f79d3ec453e8bc2621a847121b0086e0e86b165.tar.xz | |
Windows security issue:v2.1.2
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:\, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
Version 2.1.2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'service-win32')
| -rw-r--r-- | service-win32/service.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/service-win32/service.c b/service-win32/service.c index d5211bd..91b5821 100644 --- a/service-win32/service.c +++ b/service-win32/service.c @@ -370,11 +370,13 @@ int CmdInstallService() int ret = 0; - if ( GetModuleFileName( NULL, szPath, 512 ) == 0 ) + if ( GetModuleFileName( NULL, szPath+1, 510 ) == 0 ) { _tprintf(TEXT("Unable to install %s - %s\n"), TEXT(SZSERVICEDISPLAYNAME), GetLastErrorText(szErr, 256)); return 1; } + szPath[0] = '\"'; + strcat(szPath, "\""); schSCManager = OpenSCManager( NULL, // machine (NULL == local) |