Windows Driver: Fix inherited TrueCrypt local elevation of privilege vulnerability caused by abusing the drive letter symbolic link creation facilities to remap the main system drive. Thanks to James Forshaw (Google) for reporting this issue and for helping implementing the fix.

src/Common/Apidrvr.h

@@ -322,7 +322,7 @@ typedef struct
 
 #define NT_MOUNT_PREFIX DRIVER_STR("\\Device\\VeraCryptVolume")
 #define NT_ROOT_PREFIX DRIVER_STR("\\Device\\VeraCrypt")
-#define DOS_MOUNT_PREFIX DRIVER_STR("\\DosDevices\\")
+#define DOS_MOUNT_PREFIX DRIVER_STR("\\GLOBAL??\\") // Explicitely use Global MS-DOS device names to avoid security issues
 #define DOS_ROOT_PREFIX DRIVER_STR("\\DosDevices\\VeraCrypt")
 #define WIN32_ROOT_PREFIX DRIVER_STR("\\\\.\\VeraCrypt")
 

src/Driver/Ntdriver.c

@@ -3063,18 +3063,19 @@ BOOL IsDriveLetterAvailable (int nDosDriveNo)
 	UNICODE_STRING objectName;
 	WCHAR link[128];
 	HANDLE handle;
+	NTSTATUS ntStatus;
 
 	TCGetDosNameFromNumber (link, sizeof(link),nDosDriveNo);
 	RtlInitUnicodeString (&objectName, link);
 	InitializeObjectAttributes (&objectAttributes, &objectName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
 
-	if (NT_SUCCESS (ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes)))
+	if (NT_SUCCESS (ntStatus = ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes)))
 	{
 		ZwClose (handle);
 		return FALSE;
 	}
 
-	return TRUE;
+	return (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND)? TRUE : FALSE;
 }