bypassing wireguard using firejail

bypassing wireguard using firejail

[Sitaram Chamarty]

I am able to bypass the VPN by using firejail (which is a
sandbox program to run untrusted applications).

Below, the IP addresses and domain names are fake but that
should not matter:

    # wg
    interface: wg0
      public key: ....
      private key: (hidden)
      listening port: 59457
      fwmark: 0xca6c

    peer: ....
      endpoint: 11.22.33.44:51820
      allowed ips: 0.0.0.0/0
      latest handshake: 41 seconds ago
      transfer: 35.42 MiB received, 2.74 MiB sent

    $ curl zx2c4.com/ip
    11.22.33.44                 <--- my wg VPN end point IP
    static.44.33.22.11.elided.tld
    curl/7.64.0

    $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
    55.66.77.88                 <--- my actual external IP
    elided.hostname.myisp.in
    curl/7.64.0

My questions:

1.  I know firejail is suid root, but still... is there any way
    to prevent this from happening, or at least make it less
    trivial?

    I'm OK with a "this is the way it is, if your untrusted app
    is running as root you're already toast" response; just want
    to make sure I'm not missing a bet here.

2.  I guess I don't know as much about Linux networking as I
    *thought* I knew, especially about policy routing, so I am
    feeling a bit lost here.

    I would prefer not to have to learn lots of things about
    policy routing and so on, so I wonder if there is a simple,
    (wireguard-specific, if possible) explanation of how linux
    policy routing and iptables work behind the scenes to direct
    packets when wireguard is in play?

regards
sitaram
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: bypassing wireguard using firejail

[Jordan Glover]

On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc@gmail.com> wrote:

> I am able to bypass the VPN by using firejail (which is a
> sandbox program to run untrusted applications).
>
> Below, the IP addresses and domain names are fake but that
> should not matter:
>
> # wg
> interface: wg0
> public key: ....
> private key: (hidden)
> listening port: 59457
> fwmark: 0xca6c
>
> peer: ....
> endpoint: 11.22.33.44:51820
> allowed ips: 0.0.0.0/0
> latest handshake: 41 seconds ago
> transfer: 35.42 MiB received, 2.74 MiB sent
>
> $ curl zx2c4.com/ip
> 11.22.33.44 <--- my wg VPN end point IP
> static.44.33.22.11.elided.tld
> curl/7.64.0
>
> $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> 55.66.77.88 <--- my actual external IP
> elided.hostname.myisp.in
> curl/7.64.0
>
> My questions:
>
> 1.  I know firejail is suid root, but still... is there any way
>     to prevent this from happening, or at least make it less
>     trivial?
>
>     I'm OK with a "this is the way it is, if your untrusted app
>     is running as root you're already toast" response; just want
>     to make sure I'm not missing a bet here.
>
> 2.  I guess I don't know as much about Linux networking as I
>     thought I knew, especially about policy routing, so I am
>     feeling a bit lost here.
>
>     I would prefer not to have to learn lots of things about
>     policy routing and so on, so I wonder if there is a simple,
>     (wireguard-specific, if possible) explanation of how linux
>     policy routing and iptables work behind the scenes to direct
>     packets when wireguard is in play?
>
>     regards
>     sitaram
>
>

This is known firejail feature[1]. If you want to prevent yourself
from this footgun you may add "restricted-network yes" in
/etc/firejail/firejail.config

I don't see anything from wireguard to do here. If system admin want
to bypass the routes, they will.

[1] https://github.com/netblue30/firejail/issues/2665

Jordan

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: bypassing wireguard using firejail

[Sitaram Chamarty]

On Fri, May 10, 2019 at 02:06:04PM +0000, Jordan Glover wrote:
> On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> 
> > I am able to bypass the VPN by using firejail (which is a
> > sandbox program to run untrusted applications).
> >
> > Below, the IP addresses and domain names are fake but that
> > should not matter:
> >
> > # wg
> > interface: wg0
> > public key: ....
> > private key: (hidden)
> > listening port: 59457
> > fwmark: 0xca6c
> >
> > peer: ....
> > endpoint: 11.22.33.44:51820
> > allowed ips: 0.0.0.0/0
> > latest handshake: 41 seconds ago
> > transfer: 35.42 MiB received, 2.74 MiB sent
> >
> > $ curl zx2c4.com/ip
> > 11.22.33.44 <--- my wg VPN end point IP
> > static.44.33.22.11.elided.tld
> > curl/7.64.0
> >
> > $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> > 55.66.77.88 <--- my actual external IP
> > elided.hostname.myisp.in
> > curl/7.64.0
> >
> > My questions:
> >
> > 1.  I know firejail is suid root, but still... is there any way
> >     to prevent this from happening, or at least make it less
> >     trivial?
> >
> >     I'm OK with a "this is the way it is, if your untrusted app
> >     is running as root you're already toast" response; just want
> >     to make sure I'm not missing a bet here.
> >
> > 2.  I guess I don't know as much about Linux networking as I
> >     thought I knew, especially about policy routing, so I am
> >     feeling a bit lost here.
> >
> >     I would prefer not to have to learn lots of things about
> >     policy routing and so on, so I wonder if there is a simple,
> >     (wireguard-specific, if possible) explanation of how linux
> >     policy routing and iptables work behind the scenes to direct
> >     packets when wireguard is in play?
> >
> >     regards
> >     sitaram
> >
> >
> 
> This is known firejail feature[1]. If you want to prevent yourself
> from this footgun you may add "restricted-network yes" in
> /etc/firejail/firejail.config

Thanks.

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Fwd: bypassing wireguard using firejail

[Steve Dodd]

[-- Attachment #1.1: Type: text/plain, Size: 641 bytes --]

[sent to author only originally by mistake - I hate Gmail]

On Fri, 10 May 2019 at 12:56, Sitaram Chamarty <sitaramc@gmail.com> wrote:

> I am able to bypass the VPN by using firejail (which is a
> sandbox program to run untrusted applications).
>

I'm not 100% clear on your setup .. Have you got a network namespace set
up? If not, you haven't got much security anyway, I suspect. It turns out
it's not too hard .. you're welcome to my hacky scripts if you're
interested.

Not sure if firejail would still be able to escape a network namespace by
default, but I'm sure it's possible to drop a capability somewhere or
similar if it is.

S.

[-- Attachment #1.2: Type: text/html, Size: 1103 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Fwd: bypassing wireguard using firejail

[Sitaram Chamarty]

On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
> [sent to author only originally by mistake - I hate Gmail]
> 
> On Fri, 10 May 2019 at 12:56, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> 
> > I am able to bypass the VPN by using firejail (which is a
> > sandbox program to run untrusted applications).
> >
> 
> I'm not 100% clear on your setup .. Have you got a network namespace set
> up? If not, you haven't got much security anyway, I suspect. It turns out
> it's not too hard .. you're welcome to my hacky scripts if you're
> interested.

I don't think it has anything to do with my wireguard setup.

If you meant firejail setup, it is when I use "--net" (which,
according to the manpage, "Enable[s] a new network namespace and
connect[s] it to this ethernet interface", that the bypass
happens.

> Not sure if firejail would still be able to escape a network namespace by
> default, but I'm sure it's possible to drop a capability somewhere or
> similar if it is.

The answer, as I'd kinda suspected (and indicated in my original
mail) is that root can always bypass the vpn.  For firejail
specifically there's a setting (thanks Jordan Glover) to prevent
that specific escape, which I have now set.

Some other tool, if it's running as root or is suid root, can
still bypass wireguard, regardless of how it is setup.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Fwd: bypassing wireguard using firejail

[Steve Dodd]

[-- Attachment #1.1: Type: text/plain, Size: 1669 bytes --]

On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc@gmail.com> wrote:

> On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
>


> > I'm not 100% clear on your setup .. Have you got a network namespace set
> > up? If not, you haven't got much security anyway, I suspect. It turns out
> > it's not too hard .. you're welcome to my hacky scripts if you're
> > interested.
>
> I don't think it has anything to do with my wireguard setup.
>

Network namespaces are worth looking into - it's what I used to avoid
things "escaping" the VPN. They literally can't see any other interfaces,
get their own routing table, etc.

Hacky scripts:

setup: https://pastebin.com/TChbUfL5
teardown: https://pastebin.com/ghYGJQEw
runas: https://pastebin.com/h9vEvryt (this needs to be run by sudo - edit
sudoers appropriately)

WG website has gory details:

https://www.wireguard.com/netns/


> If you meant firejail setup, it is when I use "--net" (which,
> according to the manpage, "Enable[s] a new network namespace and
> connect[s] it to this ethernet interface", that the bypass
> happens.
>

I was meaning setting up a namespace before running firejail .. I actually
find it's tidier and avoids confusion about default routes, etc. Then the
interesting question would be if firejail could break out of that
namespace, and if so how to stop it.


> Some other tool, if it's running as root or is suid root, can
> still bypass wireguard, regardless of how it is setup.
>

I suspect that can be prevented - on modern systems being root isn't
necessarily the be-all and end-all. Capabilities and namespaces can still
be used to  constrain applications in lots of ways.

S.

[-- Attachment #1.2: Type: text/html, Size: 2957 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Fwd: bypassing wireguard using firejail

[Sitaram Chamarty]

On 11/05/2019 17.04, Steve Dodd wrote:
> On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc@gmail.com
> <mailto:sitaramc@gmail.com>> wrote:

>     Some other tool, if it's running as root or is suid root, can
>     still bypass wireguard, regardless of how it is setup.
> 
> 
> I suspect that can be prevented - on modern systems being root isn't
> necessarily the be-all and end-all. Capabilities and namespaces can
> still be used to  constrain applications in lots of ways.

Thanks for the links.  I had not read the netns page on wireguard.com
till now.

The last section of that page, "the new namespace solution", appears to
do exactly this; I'm going to try that out when I get some time.

thanks again
sitaram
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard