Nmap Development mailing list archives
Re: Limit WinPcap use by unprivileged users
From: "Gianluca Varenni" <gianluca.varenni () gmail com>
Date: Thu, 30 Sep 2010 11:16:19 -0700
-------------------------------------------------- From: "Fyodor" <fyodor () insecure org> Sent: Tuesday, September 28, 2010 3:31 PM To: "Gianluca Varenni" <gianluca.varenni () gmail com>Cc: "Patrik Karlsson" <patrik () cqure net>; "David Fifield" <david () bamsoftware com>; <nmap-dev () insecure org>; "DePriest, Jason R." <jrdepriest () gmail com>
Subject: Re: Limit WinPcap use by unprivileged users
On Mon, Sep 27, 2010 at 01:54:26PM -0700, Gianluca Varenni wrote:Definitely true. It's a design flaw in WinPcap, and the issue has been on the WinPcap todo list for a long time (years). Technically, it all boils down to applying the proper DACLs to the device objects(\\device\NPF_{GUID}) when they are created by the driver, so that only theadmin users are allowed to read/write from such devices, and provide some sort of tool to add/remove users/groups allowed to access the devices (in practice work like the /dev/bpf devices under BSD and probably something similar to Linux).Hi Gianluca, thanks for responding. We would love to see this sort of option in Winpcap! Microsoft has been making a big push (especially in Windows 7) to enable greater separation between non-administrative and administrative accounts, so I think this issue will continue to grow in importance until it is addressed. There are many scenarios where you want admins to be able to run Wireshark or Nmap, but without enabling unprivileged users to sniff traffic on the network, perform ARP spoofing attacks, etc.The main issue from my point of view is backwardcompatibility. There is a huge number of applications (and users) that relyon the fact that you don't need administrative privileges to run a WinPcap-based application. Modify the current (and surely unsecure) behavior of WinPcap, and I will have a lot of angry users. A possibilitycould be to have a registry key that enables/disables the "restrictions" on WinPcap devices, registry key that can only be modified by an admin and isconfigured at WinPcap installation timeI like the idea of making it an option which can be enabled or disabled at install time (or by admins later). We would probably enable the restrictions by default in the Nmap installer, but provide a checkbox to turn that off.(by default restrictions would be on, can switch it off with a checkbox in the installer). I'm not sure if the WinPcap users would even read that additional checkbox in the installer and would just send an angry email to winpcap-bugs () winpcap org complaining that WinPcap does not work...I think Winpcap-using apps like Wireshark and Nmap can help prevent this with good error messages. As long as the Winpcap error is distinct (e.g. permission denied), we can have Nmap print an error message noting that the user needs to run Nmap as an Administrator or change the Winpcap settings (with a URL describing how). I think we could automatically have Nmap/Zenmap request admin permissions as needed, too. Even if you started out with the simplest and most compatible approach, that would be a big win. Imagine if this feature was added, but disabled by default (unless a reg key is set or box checked in the installer), and admin-only (no system for adding trusted users/groups yet). This wouldn't affect most people by default, but would still give a more secure option to the folks who really need it. Right now we don't really have a good solution for those. They can remember to unload NPF when it isn't being used, but that still leaves them vulnerable while running Nmap or Wireshark. So what do you think about adding this feature? We'd be quite happy with even a simple version to start out with, and I'm sure many of us (including me) would help with testing.
I will look into that in the next couple of weeks (hopefully!) and create something you can play with. The main issue is that even if a UI to change the trusted users is not needed at the beginning, I still have to put the right infrastructure for that in the driver.
Have a nice day GV _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users DePriest, Jason R. (Sep 24)
- Re: Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users Patrik Karlsson (Sep 25)
- Re: Limit WinPcap use by unprivileged users Gianluca Varenni (Sep 27)
- Re: Limit WinPcap use by unprivileged users David Fifield (Sep 27)
- Re: Limit WinPcap use by unprivileged users Fyodor (Sep 28)
- Re: Limit WinPcap use by unprivileged users Gianluca Varenni (Sep 30)
- Re: Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users DePriest, Jason R. (Sep 24)