Comments (4)
Although the problem seems not easy to fix in WSL (see the linked BashOnWindows issue for a discussion about that), I'm still thinking about implementing the approach described above on my side. Given the implication on the underlying layers, and the fact I can do nothing about that, I'm likely to add a flag to explicitly allow elevated execution and conveying the fact that this still imply a security risk in regard to UAC effectiveness. (I will probably even add that flag first.)
from cbwin.
Win PID of processes doing a TCP connection are not updated after the connect in the lists returned by iphlpapi, but it seems that they are also never recycled (scenario I try to cover: the original process that did the connect does not exist anymore). I asked for confirmation on microsoft/WSL#652, because I have no proof that this is reliable, only I never got any recycling for Win PID listed by iphlpapi while leveraging the birthday paradox with a few thousands of processes in my tests.
The highest PID was around 70000, with 500 died-after-connect processes and 2000 "attacking" ones, and with the simplifying hypothesis of random allocations, the proba of no collision by "chance" is negligible -- and I did similar tests several times -- so the question that remains is: does this happen to be like that right now because of implementation details, or is this an actual architectural guarantee of Windows. If this is, this actually simplifies the code I need to write (compared to what I thought at first), because we can simply try to open the process by its Win PID (while we keep our end of the connection open): if it is still there (and we have enough perms) we will be able to open it AND know that it is actually the process that did the connection, otherwise we can drop it.
Note: I also found that blog entry from an MS employee: https://blogs.msdn.microsoft.com/michael_howard/2005/10/23/acls-on-sockets/
At first I thought this would secure loopback TCP connections with an ACL (obviously, this would be impossible for non-loopback TCP connections), but I tested it and this is not the case. So I don't really understand when this ACL is applied and against what kind of threat this is useful.
I also took a look at the Windows Firewall which seems impossible to use for this application for at least three reasons: configuration must be done by an admin (whereas I need dynamic conf by non-admins), it is not guaranteed to be activated, and it is bypassed for localhost connections.
So I think, for a first level of security, GetExtendedTcpTable(... TCP_TABLE_OWNER_PID_CONNECTIONS ...)+OpenProcess+OpenProcessToken+AccessCheck is the way to go. This let me avoid to read even a single byte from unauthorized clients. In a second time I will be able to try to unelevate when needed. Unfortunately, a call of GetExtendedTcpTable(... TCP_TABLE_OWNER_PID_CONNECTIONS ...) for each process launch will technically yield a total of O(n**2) entries read for n processes launches -- but I suspect this will not be too much of an actual issue with n < a few thousands.
from cbwin.
Commit c4748ff implements access control using the method described in the previous comment. For now only the user is checked, so UAC bypass using an elevated outbash.exe is not prevented yet. This will be implemented in a future commit.
from cbwin.
Commit 6e77697 adds integrity level to the access control check.
from cbwin.
Related Issues (20)
- wrun: can't translate a WSL VolFs path to a Win32 one HOT 7
- Default command handler HOT 10
- some win32 console programs "sometimes" do line feed instead of new line, but a workaround seems possible HOT 1
- a cmd-like behavior distinguishing between console / GUI target programs might be useful HOT 1
- backgrounded & force redirected caller => SIGTTIN
- Use double quotes to prevent word splitting may be better HOT 12
- Problem with arguments containing the character "&" HOT 1
- wcmd cmd no longer laggy, but eats characters HOT 1
- Let cbwin in session mode launch multiple wcmd instances in parallel HOT 11
- sockets for redirections are not using any security HOT 6
- wstart /mnt/c/windows does not work HOT 7
- Not work inside zsh HOT 14
- behavior of environment variable inconsistent in regards to case sensitivity HOT 1
- No terminal support HOT 6
- Vagrant output doesn't wrap correctly HOT 4
- interactive win32 console programs are broken (input and output) HOT 5
- Native Windows support for launching Windows applications HOT 1
- Some inputted characters skipped in Docker interactive terminal HOT 1
- Starting parameters for bash.exe
- Can't remove cbwin from my pc HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cbwin.