search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.84k stars 2.33k forks source link

[Security] Implement process hardening for the Brave VPN services #39230

Closed thypon closed 4 months ago

thypon commented 4 months ago

Test Plan

  1. Install a version of Brave with this fix. Make sure escalation to admin happens (UAC prompt).
  2. Verify the Elevation Service for this channel is installed in services.msc
  3. Visit account.brave.com and login to an account with Brave VPN or buy Brave VPN
  4. Verify Use WireGuard protocol in Brave VPN is enabled on brave://settings/system
  5. Pick a VPN server and verify you can connect. Use https://whatismyipaddress.com/ to verify your location changed
  6. Disconnect from VPN
  7. Disable Use WireGuard protocol in Brave VPN on brave://settings/system
  8. Pick a VPN server and verify you can connect. Use https://whatismyipaddress.com/ to verify your location changed
  9. Visit https://dnsleaktest.com/ and verify there are no leaks (this is what the Brave DNS service fixes)

Platforms

Windows

Description

let's implement a ProcessRedirectionTrustPolicy inside the Elevation Service.

This feature will allow to harden the Elevation Service infrastructure against vertical privilege escalations.

MadhaviSeelam commented 3 months ago

Verification PASSED using

Brave | 1.69.101 Chromium: 127.0.6533.43 (Official Build) nightly (64-bit)
-- | --
Revision | 9073515479afc03ab66a21bb8175263fc56ba1f1
OS | Windows 11 Version 23H2 (Build 22631.3880)
  1. Downloaded BraveBrowserStandaloneNightlySetup .exe for 1.69.101 nightly
  2. Accepted Yes at the UAC prompt
  3. launched Brave
  4. opened services.msc and confirmed Brave Nightly Elevation Service is installed
  5. opened account.brave.com in a new tab and authenticated with basic auth
  6. logged in with existing subscription (mseelam@brave.com)
  7. clicked Refresh button on the subscription page
  8. opened brave://settings/system page in a new tab
  9. confirmed Use Wireguard protocol in Brave VPN is enabled
  10. selected Brazil region in the VPN panel
  11. confirmed Wireguard toggle is read only status
  12. visited whatismyipaddress.com in a new tab
  13. confirmed Brazil location is shown
  14. visited https://dnsleaktest.com/ in a new tab
  15. confirmed no DNS leaks
step 4 step 6 step 9 step 10 step 11 step 13 step 15
image image image image image image image