Doesn't check that the RPC call is from Sudo?

Question

Doesn't check that the RPC call is from Sudo?

aaronliu0130 opened this issue 2 years ago · 3 comments

aaronliu0130 commented 2 years ago

Sudo for Windows version

0.1.5

Windows build number

10.0.26052.0

Other Software

No response

Steps to reproduce

see below

Expected Behavior

No response

Actual Behavior

Haven't had time to test this out yet, but according to https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html, sudo accepts any RPC call when in the background and doesn't check if it originates from sudo.

There are no checks for the caller’s PID to make sure it’s really the non-elevated sudo making the request. As long as the RPC server is running you can make the call. Finding the ALPC port is easy enough, you can just enumerate all the ALPC ports in \RPC Control to find them.

The code doesn’t provide a security descriptor for the ALPC port and it calls RpcServerRegisterIf to register the server, which should basically never be used. This old function doesn’t allow you to specify a security descriptor or a security callback. What this means is that any user on the same system can connect to this service and execute sudo commands.

Answer 1 · 2024-02-12T12:06:46.000Z

FWIW This was actually already fixed!

Internally, tracked in MSFT:48520593
closed in !10167063
That got ingested as sudo 0.1.6
ingested into the OS in !10223639
Still sitting in ge_release_we_adept as of the 5th.

wait, you're on sudo v0.1.6? I'm pretty sure that shouldn't be available yet externally? Unless I don't understand Windows insider flighting rules (and I most likely do not)

Answer 2 · 2024-02-12T14:12:43.000Z

Typo, sorry!

Answer 3 · 2024-02-12T14:40:13.000Z

No worries! I just had a panic attack that something ~ m y s t e r i o u s ~ was going on. Thanks for following up! FWIW there are some notes on internally fixed bugs over in #4