From 4f79d3ec453e8bc2621a847121b0086e0e86b165 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 15 Aug 2010 21:53:00 +0000 Subject: Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity Version 2.1.2 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5 --- service-win32/service.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'service-win32/service.c') diff --git a/service-win32/service.c b/service-win32/service.c index d5211bd..91b5821 100644 --- a/service-win32/service.c +++ b/service-win32/service.c @@ -370,11 +370,13 @@ int CmdInstallService() int ret = 0; - if ( GetModuleFileName( NULL, szPath, 512 ) == 0 ) + if ( GetModuleFileName( NULL, szPath+1, 510 ) == 0 ) { _tprintf(TEXT("Unable to install %s - %s\n"), TEXT(SZSERVICEDISPLAYNAME), GetLastErrorText(szErr, 256)); return 1; } + szPath[0] = '\"'; + strcat(szPath, "\""); schSCManager = OpenSCManager( NULL, // machine (NULL == local) -- cgit v1.2.3