From 4f79d3ec453e8bc2621a847121b0086e0e86b165 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 15 Aug 2010 21:53:00 +0000 Subject: Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity Version 2.1.2 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ChangeLog | 111 ++++++++++++++++++++++++++++++++++++++++++++++ install-win32/settings.in | 2 +- service-win32/service.c | 4 +- version.m4 | 2 +- 4 files changed, 116 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4cbab1b..5580409 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,117 @@ OpenVPN Change Log Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +2010.08.09 -- Version 2.1.2 + +* Windows security issue: + Fixed potential local privilege escalation vulnerability in + Windows service. The Windows service did not properly quote the + executable filename passed to CreateService. A local attacker + with write access to the root directory C:\ could create an + executable that would be run with the same privilege level as + the OpenVPN Windows service. However, since non-Administrative + users normally lack write permission on C:\, this vulnerability + is generally not exploitable except on older versions of Windows + (such as Win2K) where the default permissions on C:\ would allow + any user to create files there. + Credit: Scott Laurie, MWR InfoSecurity + +* Added Python-based based alternative build system for Windows using + Visual Studio 2008 (in win directory). + +* When aborting in a non-graceful way, try to execute do_close_tun in + init.c prior to daemon exit to ensure that the tun/tap interface is + closed and any added routes are deleted. + +* Fixed an issue where AUTH_FAILED was not being properly delivered + to the client when a bad password is given for mid-session reauth, + causing the connection to fail without an error indication. + +* Don't advance to the next connection profile on AUTH_FAILED errors. + +* Fixed an issue in the Management Interface that could cause + a process hang with 100% CPU utilization in --management-client + mode if the management interface client disconnected at the + point where credentials are queried. + +* Fixed an issue where if reneg-sec was set to 0 on the client, + so that the server-side value would take precedence, + the auth_deferred_expire_window function would incorrectly + return a window period of 0 seconds. In this case, the + correct window period should be the handshake window + period. + +* Modified ">PASSWORD:Verification Failed" management interface + notification to include a client reason string: + + >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] + +* Enable exponential backoff in reliability layer + retransmits. + +* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after + socket is created rather than waiting until after connect/listen. + +* Management interface performance optimizations: + + 1. Added env-filter MI command to perform filtering on env vars + passed through as a part of --management-client-auth + + 2. man_write will now try to aggregate output into larger blocks + (up to 1024 bytes) for more efficient i/o + +* Fixed minor issue in Windows TAP driver DEBUG builds + where non-null-terminated unicode strings were being + printed incorrectly. + +* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support + was not being compiled in. + +* Proxy improvements: + + Improved the ability of http-auth "auto" flag to dynamically detect + the auth method required by the proxy. + + Added http-auth "auto-nct" flag to reject weak proxy auth methods. + + Added HTTP proxy digest authentication method. + + Removed extraneous openvpn_sleep calls from proxy.c. + +* Implemented http-proxy-override and http-proxy-fallback directives to make it + easier for OpenVPN client UIs to start a pre-existing client config file with + proxy options, or to adaptively fall back to a proxy connection if a direct + connection fails. + +* Implemented a key/value auth channel from client to server. + +* Fixed issue where bad creds provided by the management interface + for HTTP Proxy Basic Authentication would go into an infinite + retry-fail loop instead of requerying the management interface for + new creds. + +* Added support for MSVC debugging of openvpn.exe in settings.in: + + # Build debugging version of openvpn.exe + !define PRODUCT_OPENVPN_DEBUG + +* Implemented multi-address DNS expansion on the network field of route + commands. + + When only a single IP address is desired from a multi-address DNS + expansion, use the first address rather than a random selection. + +* Added --register-dns option for Windows. + + Fixed some issues on Windows with --log, subprocess creation + for command execution, and stdout/stderr redirection. + +* Fixed an issue where application payload transmissions on the + TLS control channel (such as AUTH_FAILED) that occur during + or immediately after a TLS renegotiation might be dropped. + +* Added warning about tls-remote option in man page. + 2009.12.11 -- Version 2.1.1 * Fixed some breakage in openvpn.spec (which is required to build an diff --git a/install-win32/settings.in b/install-win32/settings.in index edebd44..21ea0a7 100644 --- a/install-win32/settings.in +++ b/install-win32/settings.in @@ -22,7 +22,7 @@ ;!define OPENVPN_XGUI_DIR "../ovpnxml" # Prebuilt libraries. DMALLOC is optional. -!define OPENSSL_DIR "../openssl-0.9.8l" +!define OPENSSL_DIR "../openssl.mingw/openssl-0.9.8o" !define LZO_DIR "../lzo-2.02" !define PKCS11_HELPER_DIR "../pkcs11-helper" ;!define DMALLOC_DIR "../dmalloc-5.4.2" diff --git a/service-win32/service.c b/service-win32/service.c index d5211bd..91b5821 100644 --- a/service-win32/service.c +++ b/service-win32/service.c @@ -370,11 +370,13 @@ int CmdInstallService() int ret = 0; - if ( GetModuleFileName( NULL, szPath, 512 ) == 0 ) + if ( GetModuleFileName( NULL, szPath+1, 510 ) == 0 ) { _tprintf(TEXT("Unable to install %s - %s\n"), TEXT(SZSERVICEDISPLAYNAME), GetLastErrorText(szErr, 256)); return 1; } + szPath[0] = '\"'; + strcat(szPath, "\""); schSCManager = OpenSCManager( NULL, // machine (NULL == local) diff --git a/version.m4 b/version.m4 index 4add313..06d526f 100644 --- a/version.m4 +++ b/version.m4 @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1.1o]) +define(PRODUCT_VERSION,[2.1.2]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) -- cgit v1.2.3