From f67748ae8e3ebefc1361d6e8a7f8e5020ff68517 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Wed, 9 Jul 2014 02:20:39 +0200 Subject: Static Code Analysis : fix non-absolute DLL/process loads that can be hijacked (Microsoft Security Advisory 2269637). --- src/Common/Dlgcode.c | 44 +++++++++++++++++++++++++++++++++++++------- src/Common/Dlgcode.h | 2 +- src/Common/Format.c | 12 +++++++++++- src/Common/Random.c | 10 +++++++++- 4 files changed, 58 insertions(+), 10 deletions(-) (limited to 'src/Common') diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index ad8b4890..54b848dc 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -1844,7 +1844,7 @@ void ExceptionHandlerThread (void *threadArg) if (IDYES == MessageBoxW (0, msg, GetString ("EXCEPTION_REPORT_TITLE"), MB_ICONERROR | MB_YESNO | MB_DEFBUTTON1)) ShellExecute (NULL, "open", urlStr.c_str(), NULL, NULL, SW_SHOWNORMAL); - else*/ + else */ UnhandledExceptionFilter (ep); } @@ -2276,6 +2276,7 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine) { WNDCLASS wc; char langId[6]; + char dllPath[MAX_PATH]; /* Save the instance handle for later */ hInst = hInstance; @@ -2441,9 +2442,13 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine) handleWin32Error (NULL); AbortProcess ("INIT_REGISTER"); } - + + if (GetSystemDirectory(dllPath, MAX_PATH)) + strcat(dllPath, "\\Riched20.dll"); + else + strcpy(dllPath, "c:\\Windows\\System32\\Riched20.dll"); // Required for RichEdit text fields to work - if (LoadLibrary("Riched20.dll") == NULL) + if (LoadLibrary(dllPath) == NULL) { // This error is fatal e.g. because legal notices could not be displayed handleWin32Error (NULL); @@ -3486,7 +3491,7 @@ load: return res; bPortableModeConfirmed = TRUE; - + hDriver = CreateFile (WIN32_ROOT_PREFIX, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); } @@ -6951,6 +6956,16 @@ BOOL PrintHardCopyTextUTF16 (wchar_t *text, char *title, int textByteLen) strcat (cl, path); strcat (cl, "\""); + // Get the absolute path for notepad + if (GetWindowsDirectory(filename, MAX_PATH)) + { + if (filename[strlen (filename) - 1] != '\\') + strcat (filename, "\\"); + strcat(filename, PRINT_TOOL); + } + else + strcpy(filename, "C:\\Windows\\" PRINT_TOOL); + WaitCursor (); ShellExecute (NULL, "open", PRINT_TOOL, cl, NULL, SW_HIDE); Sleep (6000); @@ -9496,7 +9511,7 @@ BOOL IsFileOnReadOnlyFilesystem (const char *path) void CheckFilesystem (int driveNo, BOOL fixErrors) { - wchar_t msg[1024], param[1024]; + wchar_t msg[1024], param[1024], cmdPath[MAX_PATH]; char driveRoot[] = { 'A' + (char) driveNo, ':', 0 }; if (fixErrors && AskWarnYesNo ("FILESYS_REPAIR_CONFIRM_BACKUP") == IDNO) @@ -9505,7 +9520,14 @@ void CheckFilesystem (int driveNo, BOOL fixErrors) wsprintfW (msg, GetString (fixErrors ? "REPAIRING_FS" : "CHECKING_FS"), driveRoot); wsprintfW (param, fixErrors ? L"/C echo %s & chkdsk %hs /F /X & pause" : L"/C echo %s & chkdsk %hs & pause", msg, driveRoot); - ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", L"cmd.exe", param, NULL, SW_SHOW); + if (GetSystemDirectoryW(cmdPath, MAX_PATH)) + { + lstrcatW(cmdPath, L"\\cmd.exe"); + } + else + lstrcpyW(cmdPath, L"C:\\Windows\\System32\\cmd.exe"); + + ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", cmdPath, param, NULL, SW_SHOW); } @@ -9701,7 +9723,15 @@ BOOL IsWindowsIsoBurnerAvailable () BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath) { - int r = (int) ShellExecute (hwnd, "open", ISO_BURNER_TOOL, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL); + char path[MAX_PATH*2] = { 0 }; + int r; + + if (SUCCEEDED(SHGetFolderPath (NULL, CSIDL_SYSTEM, NULL, 0, path))) + strcat (path, "\\" ISO_BURNER_TOOL); + else + strcpy (path, "C:\\Windows\\System32\\" ISO_BURNER_TOOL); + + r = (int) ShellExecute (hwnd, "open", path, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL); if (r <= 32) { diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h index 2c3ad688..74e1a59a 100644 --- a/src/Common/Dlgcode.h +++ b/src/Common/Dlgcode.h @@ -218,7 +218,7 @@ typedef struct #define YES_NO MB_YESNO #define ISO_BURNER_TOOL "isoburn.exe" -#define PRINT_TOOL "notepad" +#define PRINT_TOOL "notepad.exe" void cleanup ( void ); void LowerCaseCopy ( char *lpszDest , const char *lpszSource ); diff --git a/src/Common/Format.c b/src/Common/Format.c index 49365a1b..25f20acd 100644 --- a/src/Common/Format.c +++ b/src/Common/Format.c @@ -795,10 +795,20 @@ BOOLEAN __stdcall FormatExCallback (int command, DWORD subCommand, PVOID paramet BOOL FormatNtfs (int driveNo, int clusterSize) { + char dllPath[MAX_PATH] = {0}; WCHAR dir[8] = { (WCHAR) driveNo + 'A', 0 }; PFORMATEX FormatEx; - HMODULE hModule = LoadLibrary ("fmifs.dll"); + HMODULE hModule; int i; + + if (GetSystemDirectory (dllPath, MAX_PATH)) + { + strcat(dllPath, "\\fmifs.dll"); + } + else + strcpy(dllPath, "C:\\Windows\\System32\\fmifs.dll"); + + hModule = LoadLibrary (dllPath); if (hModule == NULL) return FALSE; diff --git a/src/Common/Random.c b/src/Common/Random.c index ceb14e33..c897e3b7 100644 --- a/src/Common/Random.c +++ b/src/Common/Random.c @@ -573,7 +573,15 @@ BOOL SlowPoll (void) { /* Obtain a handle to the module containing the Lan Manager functions */ - hNetAPI32 = LoadLibrary ("NETAPI32.DLL"); + char dllPath[MAX_PATH]; + if (GetSystemDirectory (dllPath, MAX_PATH)) + { + strcat(dllPath, "\\NETAPI32.DLL"); + } + else + strcpy(dllPath, "C:\\Windows\\System32\\NETAPI32.DLL"); + + hNetAPI32 = LoadLibrary (dllPath); if (hNetAPI32 != NULL) { /* Now get pointers to the functions */ -- cgit v1.2.3