Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-12-31 02:49:45 -06:00
Code Activity

Windows: Fix Dll hijacking vulnerability affecting installer that allows arbitrary code execution with elevation of privilege (CVE-2016-1281)

Browse Source
This commit is contained in:
Mounir IDRASSI
2016-01-02 17:54:55 +01:00
parent 6cb1eefc49
commit 5872be28a2
13 changed files with 221 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/Setup/Setup.c
View File

@@ -329,13 +329,13 @@ void SearchAndDeleteRegistrySubString (HKEY hKey, const wchar_t *subKey, const w
// if the string to search for is empty, delete the sub key, otherwise, look for matching value and delete them
if (subStringLength == 0)
{
if (ERROR_ACCESS_DENIED == SHDeleteKeyW (hKey, ItSubKey->c_str()))
if (ERROR_ACCESS_DENIED == DeleteRegistryKey (hKey, ItSubKey->c_str()))
{
// grant permission to delete
AllowKeyAccess (hKey, ItSubKey->c_str());
// try again
SHDeleteKeyW (hKey, ItSubKey->c_str());
DeleteRegistryKey (hKey, ItSubKey->c_str());
}
}
else
@@ -427,6 +427,22 @@ BOOL SetPrivilege(LPTSTR szPrivilegeName, BOOL bEnable)
return bStatus;
}
/*
* Creates a VT_LPWSTR propvariant.
* we use our own implementation to use SHStrDupW function pointer
* that we retreive ourselves to avoid dll hijacking attacks
*/
inline HRESULT VCInitPropVariantFromString(__in PCWSTR psz, __out PROPVARIANT *ppropvar)
{
ppropvar->vt = VT_LPWSTR;
HRESULT hr = VCStrDupW(psz, &ppropvar->pwszVal);
if (FAILED(hr))
{
PropVariantInit(ppropvar);
}
return hr;
}
HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments,
wchar_t *lpszPathLink, const wchar_t* iconFile, int iconIndex)
{
@@ -457,7 +473,7 @@ HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments,
if (SUCCEEDED (psl->QueryInterface (IID_PPV_ARGS (&propStore))))
{
PROPVARIANT propVariant;
if (SUCCEEDED (InitPropVariantFromString (TC_APPLICATION_ID, &propVariant)))
if (SUCCEEDED (VCInitPropVariantFromString (TC_APPLICATION_ID, &propVariant)))
{
if (SUCCEEDED (propStore->SetValue (PKEY_AppUserModel_ID, propVariant)))
propStore->Commit();
@@ -1287,7 +1303,7 @@ BOOL DoRegUninstall (HWND hwndDlg, BOOL bRemoveDeprecated)
GetStartupRegKeyName (regk, sizeof(regk));
DeleteRegistryValue (regk, L"VeraCrypt");
SHDeleteKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc");
DeleteRegistryKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc");
// enable the SE_TAKE_OWNERSHIP_NAME privilege for this operation
SetPrivilege (SE_TAKE_OWNERSHIP_NAME, TRUE);
@@ -2447,8 +2463,6 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz
lpszTitle = L"VeraCrypt Setup";
InitCommonControls ();
/* Call InitApp to initialize the common code */
InitApp (hInstance, NULL);

7
src/Setup/Setup.vcproj
View File

@@ -43,7 +43,7 @@
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="..\Common;..\Crypto;..\;..\PKCS11"
PreprocessorDefinitions="SETUP;WIN32;DEBUG;_DEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS"
PreprocessorDefinitions="SETUP;WIN32;DEBUG;_DEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS;_ATL_NO_DEFAULT_LIBS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
@@ -65,7 +65,7 @@
<Tool
Name="VCLinkerTool"
AdditionalOptions="/NODEFAULTLIB:LIBCMTD"
AdditionalDependencies="libcmtd.lib comctl32.lib setupapi.lib"
AdditionalDependencies="libcmtd.lib"
OutputFile="$(OutDir)/VeraCryptSetup.exe"
LinkIncremental="2"
GenerateManifest="false"
@@ -130,7 +130,7 @@
AdditionalOptions="/w34189"
Optimization="2"
AdditionalIncludeDirectories="..\Common;..\Crypto;..\;..\PKCS11"
PreprocessorDefinitions="SETUP;WIN32;NDEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS"
PreprocessorDefinitions="SETUP;WIN32;NDEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS;_ATL_NO_DEFAULT_LIBS"
RuntimeLibrary="0"
BufferSecurityCheck="true"
UsePrecompiledHeader="0"
@@ -152,7 +152,6 @@
<Tool
Name="VCLinkerTool"
AdditionalOptions="/IGNORE:4089"
AdditionalDependencies="comctl32.lib setupapi.lib"
OutputFile="$(OutDir)/VeraCryptSetup.exe"
LinkIncremental="1"
GenerateManifest="false"