Linux/FreeBSD: Add absolute paths for system binaries to prevent path hijacking (CVE-2024-54187, collaboration with SivertPL @__tfr)

This commit fixes a critical security vulnerability where VeraCrypt could be tricked into executing malicious binaries with elevated privileges. The vulnerability has two severe implications: 1. When sudo's secure_path option is disabled, attackers could execute malicious binaries with root privileges by placing them in user-writable PATH directories (e.g., making "sudo mount" execute a malicious mount binary) 2. By placing a malicious sudo binary in PATH, attackers could intercept and steal the user's password when VeraCrypt prompts for sudo authentication The vulnerability allowed attackers to place malicious binaries in user-writable directories that appear in PATH before system directories, potentially leading to privilege escalation and credential theft. Key changes: - Implement FindSystemBinary() to locate executables in secure system paths - Replace all relative binary paths with absolute paths for system commands - Add security checks for executable permissions - Update process execution to use absolute paths for: * sudo * mount * fsck * terminal emulators * file managers * system utilities (hdiutil, mdconfig, vnconfig, lofiadm) The fix ensures all system binaries are called using their absolute paths from secure system directories, preventing both privilege escalation through PATH manipulation and password theft through sudo hijacking. Security: CVE-2024-54187
2025-11-11 19:08:26 -06:00 · 2025-01-11 17:26:03 +01:00
parent 1b35abb191
commit 2cca2e1daf
9 changed files with 226 additions and 99 deletions
--- a/src/Main/UserInterface.cpp
+++ b/src/Main/UserInterface.cpp
@@ -872,11 +872,30 @@ namespace VeraCrypt
 	}

 #if !defined(TC_WINDOWS) && !defined(TC_MACOSX)
-// Function to check if a given executable exists and is executable
-static bool IsExecutable(const string& exe) {
-    return wxFileName::IsFileExecutable("/usr/bin/" + exe) ||
-           wxFileName::IsFileExecutable("/usr/local/bin/" + exe);
-}
+// Define file manager structures with their required parameters
+struct FileManager {
+	const char* name;
+	const char* const* baseArgs;
+	size_t baseArgsCount;
+};
+
+// Array of supported file managers with their parameters
+static const char* const gioArgs[] = {"open"};
+static const char* const kioclient5Args[] = {"exec"};
+static const char* const kfmclientArgs[] = {"openURL"};
+static const char* const exoOpenArgs[] = {"--launch", "FileManager"};
+
+const FileManager fileManagers[] = {
+	{"gio", gioArgs, 1},
+	{"kioclient5", kioclient5Args, 1},
+	{"kfmclient", kfmclientArgs, 1},
+	{"exo-open", exoOpenArgs, 2},
+	{"nautilus", NULL, 0},
+	{"dolphin", NULL, 0},
+	{"caja", NULL, 0},
+	{"thunar", NULL, 0},
+	{"pcmanfm", NULL, 0}
+};
 #endif

 	void UserInterface::OpenExplorerWindow (const DirectoryPath &path)
@@ -898,17 +917,21 @@ static bool IsExecutable(const string& exe) {
 		args.push_back (string (path));
 		try
 		{
-			Process::Execute ("open", args);
+			Process::Execute ("/usr/bin/open", args);
 		}
 		catch (exception &e) { ShowError (e); }

 #else
 		string directoryPath = string(path);
 		// Primary attempt: Use xdg-open
-		if (IsExecutable("xdg-open")) {
-			try {
+		string errorMsg;
+		string binPath = Process::FindSystemBinary("xdg-open", errorMsg);
+		if (!binPath.empty())
+		{
+			try
+			{
 				args.push_back(directoryPath);
-				Process::Execute("xdg-open", args, 2000);
+				Process::Execute(binPath, args, 2000);
 				return;
 			}
 			catch (TimeOut&) { }
@@ -916,36 +939,23 @@ static bool IsExecutable(const string& exe) {
 		}

 		// Fallback attempts: Try known file managers
-		const char* fallbackFileManagers[] = { "gio", "kioclient5", "kfmclient", "exo-open", "nautilus", "dolphin", "caja", "thunar", "pcmanfm" };
-		const size_t numFileManagers = sizeof(fallbackFileManagers) / sizeof(fallbackFileManagers[0]);
-
+		const size_t numFileManagers = sizeof(fileManagers) / sizeof(fileManagers[0]);
 		for (size_t i = 0; i < numFileManagers; ++i) {
-			const char* fm = fallbackFileManagers[i];
-			if (IsExecutable(fm)) {
+			const FileManager& fm = fileManagers[i];
+			string fmPath = Process::FindSystemBinary(fm.name, errorMsg);
+			if (!fmPath.empty()) {
 				args.clear();
-				if (strcmp(fm, "gio") == 0) {
-					args.push_back("open");
-					args.push_back(directoryPath);
-				}
-				else if (strcmp(fm, "kioclient5") == 0) {
-					args.push_back("exec");
-					args.push_back(directoryPath);
-				}
-				else if (strcmp(fm, "kfmclient") == 0) {
-					args.push_back("openURL");
-					args.push_back(directoryPath);
-				}
-				else if (strcmp(fm, "exo-open") == 0) {
-					args.push_back("--launch");
-					args.push_back("FileManager");
-					args.push_back(directoryPath);
-				}
-				else {
-					args.push_back(directoryPath);
+				
+				// Add base arguments first
+				for (size_t j = 0; j < fm.baseArgsCount; ++j) {
+					args.push_back(fm.baseArgs[j]);
 				}
+				
+				// Add path argument
+				args.push_back(directoryPath);

 				try {
-					Process::Execute(fm, args, 2000);
+					Process::Execute(fmPath, args, 2000);
 					return; // Success
 				}
 				catch (TimeOut&) { }
@@ -954,7 +964,7 @@ static bool IsExecutable(const string& exe) {
 		}

 		ShowWarning(wxT("Unable to find a file manager to open the mounted volume.\n"
-					"Please install xdg-utils or set a default file manager."));
+				"Please install xdg-utils or set a default file manager."));
 #endif
 	}