Hi,

On 23/06/18 06:13, Jordan Glover wrote:
[cut]
> 
> But attacker will helpfully provide you customized 'wireguard.script'  as well
> and even tell you how to use it by setting 'chmod 4777 wireguard.script'.
> 

An attacker will also tell you to run "rm -Rf /" :-P


Jokes apart, I was talking to Jason on IRC and I suggested an idea that
might be worth sharing.

A network device driver in the kernel is free to send events to
userspace with any custom set of properties/values.

Most of you have already seen and played with those typically thrown
when an interface goes up and down, with udev normally handling them by
executing some (user-)configured action.

These events can be easily created and customized by any kernel module
and associated to a network interface.
Wireguard could generate preup/postup/etc.. uevents and send them to
userspace.

It will then be udev to decide how to handle those.
Specific scripts could be installed by the admin, or udev could come
with its own default ones.

In any case, this would delegate the execution of scripts to a component
that is in charge of doing exactly that.

This would remove the risk of sneaking malicious things into the
configuration file, which is what people do not expect and is the core
of the issue discussed here.

(Yeah, I already hear people saying "but the malicious attacker will
tell the clueless user to install this script in udev", but I think that
by then, the problem has moved to another plane)

My experience with this mechanism comes from batman-adv[1], where it
used to report special routing events to the user so that he could react
accordingly (if desired).


just my 2 cents.


Cheers,

[1]https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/batman-adv/sysfs.c#n1209

-- 
Antonio Quartulli