PostUp/PreUp/PostDown/PreDown Dangerous?

Fri Jun 22 21:26:37 CEST 2018

> On Jun 21, 2018, at 8:41 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> 
> Hey list,
> 
> wg(8) is the main WireGuard configuration tool. It takes a fairly
> strict set of inputs, and is supposed to perform acceptable input
> validation on them.
> 
> https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
> 
> wg-quick(8), on the other and, is a dinky bash script, that is useful
> for making some common limited use cases a bit easier.
> 
> https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
> 
> wg-quick(8) has the very handy feature of allowing
> PostUp/PostDown/PreUp/PreDown directives, to execute some helpers,
> such as iptables or whatever else you want in a custom setup. These
> have proven very useful to folks. And because these allow arbitrary
> execution anyway, wg-quick(8) doesn't try very hard to do proper input
> validation either.
> 
> I just saw this nice post pointing out a problem in OpenVPN:
> https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da
> 
> The same thing applies to wg-quick(8) with
> PostUp/PostDown/PreUp/PreDown.

How about not supporting direct execution of commands in the config [Interface] section but rather support an optional path to where a fixed command (ex. wireguard.script) is found...
--
ActionScriptDir = /usr/local/bin
--

Then instead of executing the PostUp/PostDown/PreUp/PreDown data, the wg-quick script would call:
--
/usr/local/bin/wireguard.script PRE_UP|PRE_DOWN|POST_UP|POST_DOWN "$INTERFACE"
--

1) When called, the first argument would be one of: PRE_UP|PRE_DOWN|POST_UP|POST_DOWN

2) When called, the second argument would be the wireguard interface.

3) If ActionScriptDir is not defined, then wireguard.script is not called.

This requires an extra step to be taken to create a wireguard.script file with execute permissions and possibly require specific ownership.

Lonnie