Re: Limit WinPcap use by unprivileged users

[Fyodor <fyodor () insecure org>]

On Mon, Sep 27, 2010 at 01:54:26PM -0700, Gianluca Varenni wrote:
> Definitely true. It's a design flaw in WinPcap, and the issue has been on 
> the WinPcap todo list for a long time (years). Technically, it all boils 
> down to applying the proper DACLs to the device objects 
> (\\device\NPF_{GUID}) when they are created by the driver, so that only the 
> admin users are allowed to read/write from such devices, and provide some 
> sort of tool to add/remove users/groups allowed to access the devices (in 
> practice work like the /dev/bpf devices under BSD and probably something 
> similar to Linux).

Hi Gianluca, thanks for responding.  We would love to see this sort of
option in Winpcap!  Microsoft has been making a big push (especially
in Windows 7) to enable greater separation between non-administrative
and administrative accounts, so I think this issue will continue to
grow in importance until it is addressed.  There are many scenarios
where you want admins to be able to run Wireshark or Nmap, but without
enabling unprivileged users to sniff traffic on the network, perform
ARP spoofing attacks, etc.

> The main issue from my point of view is backward 
> compatibility. There is a huge number of applications (and users) that rely 
> on the fact that you don't need administrative privileges to run a 
> WinPcap-based application. Modify the current (and surely unsecure) 
> behavior of WinPcap, and I will have a lot of angry users. A possibility 
> could be to have a registry key that enables/disables the "restrictions" on 
> WinPcap devices, registry key that can only be modified by an admin and is 
> configured at WinPcap installation time 

I like the idea of making it an option which can be enabled or
disabled at install time (or by admins later).  We would probably
enable the restrictions by default in the Nmap installer, but provide
a checkbox to turn that off.

> (by default restrictions would be on, can switch it off with a
> checkbox in the installer). I'm not sure if the WinPcap users would
> even read that additional checkbox in the installer and would just
> send an angry email to winpcap-bugs () winpcap org complaining that
> WinPcap does not work...

I think Winpcap-using apps like Wireshark and Nmap can help prevent
this with good error messages.  As long as the Winpcap error is
distinct (e.g. permission denied), we can have Nmap print an error
message noting that the user needs to run Nmap as an Administrator or
change the Winpcap settings (with a URL describing how).  I think we
could automatically have Nmap/Zenmap request admin permissions as
needed, too.

Even if you started out with the simplest and most compatible
approach, that would be a big win.  Imagine if this feature was added,
but disabled by default (unless a reg key is set or box checked in the
installer), and admin-only (no system for adding trusted users/groups
yet).  This wouldn't affect most people by default, but would still
give a more secure option to the folks who really need it.  Right now
we don't really have a good solution for those.  They can remember to
unload NPF when it isn't being used, but that still leaves them
vulnerable while running Nmap or Wireshark.

So what do you think about adding this feature?  We'd be quite happy
with even a simple version to start out with, and I'm sure many of us
(including me) would help with testing.

> Have a nice day

You too!
-Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/