This problem was actually brought up in the breako...
# generalm
Mike Myers
12/08/2020, 9:33 PMThis problem was actually brought up in the breakout chats at Querycon last year
t
Tao Jiang
12/08/2020, 10:23 PMNice to know. Was there any suggestion on this?
m
Mike Myers
12/08/2020, 11:05 PMIt wasn't clear to us at the time if it was a Thrift problem or our problem, and I guess nobody acted on it. I think we could look at it now. Is there an issue to track it?
Mike Myers
12/08/2020, 11:07 PMI can't find one, so I'll make one
Mike Myers
12/08/2020, 11:11 PMt
theopolis
12/09/2020, 12:26 AM
Interesting, this is pretty serious as by design the API would allow anyone to stop osquery or alter its data.
g
Grant
12/17/2020, 12:12 AMHello guys, is there a workaround or process on this issue? Thanks!
t
theopolis
12/17/2020, 3:23 AM
I don't think there is, but I think a first step is to update the Thrift version we use and check if the Windows pipe integration applies the intended permissions.
👍 1
m
Mike Myers
12/17/2020, 4:38 PMIt doesn't look like the Thrift API object used by osquery, TPipe, is able to specify access controls on the pipe. https://github.com/osquery/osquery/blob/224423fb7581b9e7c4d60e084065238a8601e246/osquery/extensions/impl_thrift.cpp#L49
Mike Myers
12/17/2020, 4:38 PMMike Myers
12/17/2020, 4:38 PMPerhaps because of the use of CreateFileA here https://github.com/apache/thrift/blob/86352b4821085d63861deab59c46ef1042fbfe81/lib/cpp/src/thrift/transport/TPipe.cpp#L277
Mike Myers
12/17/2020, 4:39 PMMaybe it ought to be using CreateNamedPipe as described here https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights
Mike Myers
12/17/2020, 4:39 PMBut I'll have to step through it in a debugger to confirm
g
Grant
12/17/2020, 8:08 PMLatest thrift added a constructor that takes security descriptor on server side
Grant
12/17/2020, 9:22 PMm
Mike Myers
12/17/2020, 11:47 PMNice, good find. I'll see if I can build with a newer Thrift
👍 1
5 Views