Re: PostUp/PreUp/PostDown/PreDown Dangerous?

From: Jacob Baines <baines.jacob@gmail.com>
To: Antonio Quartulli <a@unstable.cc>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: PostUp/PreUp/PostDown/PreDown Dangerous?
Date: Fri, 22 Jun 2018 09:08:17 -0400	[thread overview]
Message-ID: <CAEypN9LgpCN_3Zt3H4YgUEtiJWFF7d-=H=jQoTH9DNUN3DX42w@mail.gmail.com> (raw)
In-Reply-To: <6645df4c-3f98-6df9-fc48-6748ad4d6c00@unstable.cc>

[-- Attachment #1: Type: text/plain, Size: 3304 bytes --]

Hey all,

  I'm not familiar with WireGuard so I can only speak in an OpenVPN
context. If the following doesn't apply to WireGuard at all than feel free
to ignore me.

  My main problem with "--script-security" is that its useless. It just
causes OpenVPN to spit a line into a log file (and by that time its too
late anyways). That isn't a security mechanism.

  There also seems to be an expectation that users should understand these
config files. I'm not sure why that is. Excuse my speaking in generalities
but a majority of users aren't going to understand how OpenVPN works, let
alone how the configuration file affects the program. Many users (myself
included) simply receive config files from our bosses or our IT guy and
trust that they aren't malicious. Call me naive or foolish but I don't
review every single file passed my way for malicious content.

   Furthermore, I've heard a few times now "config files exec things". Off
the top of my head, I can't think of any other applications that execute
shell commands listed in their configuration file. I have no idea where
that is coming from. Its not a smart practice from a security point of view.

   I'm not an OpenVPN expert. I'm just some guy that spent a little time
reviewing the source. So I accept that my opinions might be bad. But if I
was I dev I'd deprecate the entire system of executing programs listed in
the configuration file. I'd try to migrate code into OpenVPN itself or the
plugin system. At the very least, prompting the user and asking them for
permission to execute whatever command seems like an improvement to me.

-Jake

On Fri, Jun 22, 2018 at 6:53 AM, Antonio Quartulli <a@unstable.cc> wrote:

>
>
> On 22/06/18 18:46, Jordan Glover wrote:
> > On June 22, 2018 3:56 AM, Antonio Quartulli <a@unstable.cc> wrote:
> >>
> >> In case this might be useful: in OpenVPN there is an additional
> >>
> >> parameter called "--script-security" that requires to be set to a
> >>
> >> certain level before allowing configured scripts to be executed.
> >>
> >> Unfortunately there is no real protection against the clueless user, who
> >>
> >> can and will blindly enable that setting if asked by a $random VPN
> provider.
> >>
> >> However, I still believe (and hope) that forcing the user to enable a
> >>
> >> specific knob may raise the level of attention.
> >>
> >> Maybe something similar could be added as a command line parameter to
> >>
> >> wg/wg-quick so that it will execute the various
> >>
> >> PostUp/PreUp/PostDown/PreDown only if allowed to?
> >>
> >> Just as a side note: this is not a VPN specific problem, this is
> >>
> >> something users can end up with everytime they execute some binary with
> >>
> >> a configuration they have not inspected. So, be careful out there ;-)
> >>
> >> Cheers,
> >>
> >
> > Attacker can pass appropriate "--script-security" level with the very
> same config
> > containing malicious commands so this isn't solving problem of not
> looking at
> > the content of config files.
>
> that's why I suggested to implement it as a command line knob for
> wg/wg-quick.
>
> But I totally agree with you that against this kind of issues there is
> not really a lot the developer can do - each of us is free to shoot
> himself in the foot.
>
> Regards,
>
> --
> Antonio Quartulli
>
>

[-- Attachment #2: Type: text/html, Size: 4297 bytes --]