PostUp/PreUp/PostDown/PreDown Dangerous?
Jason A. Donenfeld
Jason at zx2c4.com
Fri Jun 22 03:41:03 CEST 2018
Hey list,
wg(8) is the main WireGuard configuration tool. It takes a fairly
strict set of inputs, and is supposed to perform acceptable input
validation on them.
https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
wg-quick(8), on the other and, is a dinky bash script, that is useful
for making some common limited use cases a bit easier.
https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
wg-quick(8) has the very handy feature of allowing
PostUp/PostDown/PreUp/PreDown directives, to execute some helpers,
such as iptables or whatever else you want in a custom setup. These
have proven very useful to folks. And because these allow arbitrary
execution anyway, wg-quick(8) doesn't try very hard to do proper input
validation either.
I just saw this nice post pointing out a problem in OpenVPN:
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da
The same thing applies to wg-quick(8) with
PostUp/PostDown/PreUp/PreDown. The question is how seriously we should
take the problem presented by this blog post. Namely, you can't trust
configuration files given to you by outside parties. Maybe you
shouldn't reconfigure your network without inspecting what those
reconfigurations are first. However, one could argue that code
execution is a bit beyond networking config.
So, the question we need to ask is whether this problem is important
enough that these useful features should be _removed_? Or if there's a
way to make them safer? Or if it just doesn't matter that much and we
shouldn't do anything.
Thoughts?
Jason
More information about the WireGuard
mailing list