Nmap Development mailing list archives
Re: Limit WinPcap use by unprivileged users
From: Fyodor <fyodor () insecure org>
Date: Tue, 28 Sep 2010 15:31:24 -0700
On Mon, Sep 27, 2010 at 01:54:26PM -0700, Gianluca Varenni wrote:
Definitely true. It's a design flaw in WinPcap, and the issue has been on the WinPcap todo list for a long time (years). Technically, it all boils down to applying the proper DACLs to the device objects (\\device\NPF_{GUID}) when they are created by the driver, so that only the admin users are allowed to read/write from such devices, and provide some sort of tool to add/remove users/groups allowed to access the devices (in practice work like the /dev/bpf devices under BSD and probably something similar to Linux).
Hi Gianluca, thanks for responding. We would love to see this sort of option in Winpcap! Microsoft has been making a big push (especially in Windows 7) to enable greater separation between non-administrative and administrative accounts, so I think this issue will continue to grow in importance until it is addressed. There are many scenarios where you want admins to be able to run Wireshark or Nmap, but without enabling unprivileged users to sniff traffic on the network, perform ARP spoofing attacks, etc.
The main issue from my point of view is backward compatibility. There is a huge number of applications (and users) that rely on the fact that you don't need administrative privileges to run a WinPcap-based application. Modify the current (and surely unsecure) behavior of WinPcap, and I will have a lot of angry users. A possibility could be to have a registry key that enables/disables the "restrictions" on WinPcap devices, registry key that can only be modified by an admin and is configured at WinPcap installation time
I like the idea of making it an option which can be enabled or disabled at install time (or by admins later). We would probably enable the restrictions by default in the Nmap installer, but provide a checkbox to turn that off.
(by default restrictions would be on, can switch it off with a checkbox in the installer). I'm not sure if the WinPcap users would even read that additional checkbox in the installer and would just send an angry email to winpcap-bugs () winpcap org complaining that WinPcap does not work...
I think Winpcap-using apps like Wireshark and Nmap can help prevent this with good error messages. As long as the Winpcap error is distinct (e.g. permission denied), we can have Nmap print an error message noting that the user needs to run Nmap as an Administrator or change the Winpcap settings (with a URL describing how). I think we could automatically have Nmap/Zenmap request admin permissions as needed, too. Even if you started out with the simplest and most compatible approach, that would be a big win. Imagine if this feature was added, but disabled by default (unless a reg key is set or box checked in the installer), and admin-only (no system for adding trusted users/groups yet). This wouldn't affect most people by default, but would still give a more secure option to the folks who really need it. Right now we don't really have a good solution for those. They can remember to unload NPF when it isn't being used, but that still leaves them vulnerable while running Nmap or Wireshark. So what do you think about adding this feature? We'd be quite happy with even a simple version to start out with, and I'm sure many of us (including me) would help with testing.
Have a nice day
You too! -Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users DePriest, Jason R. (Sep 24)
- Re: Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users Patrik Karlsson (Sep 25)
- Re: Limit WinPcap use by unprivileged users Gianluca Varenni (Sep 27)
- Re: Limit WinPcap use by unprivileged users David Fifield (Sep 27)
- Re: Limit WinPcap use by unprivileged users Fyodor (Sep 28)
- Re: Limit WinPcap use by unprivileged users Gianluca Varenni (Sep 30)
- Re: Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users DePriest, Jason R. (Sep 24)