From 5872be28a243acb3b5aafdf13248e07d30471893 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 2 Jan 2016 17:54:55 +0100 Subject: Windows: Fix Dll hijacking vulnerability affecting installer that allows arbitrary code execution with elevation of privilege (CVE-2016-1281) --- src/Setup/Setup.c | 26 ++++++++++++++++++++------ src/Setup/Setup.vcproj | 7 +++---- 2 files changed, 23 insertions(+), 10 deletions(-) (limited to 'src/Setup') diff --git a/src/Setup/Setup.c b/src/Setup/Setup.c index 828de703..e81c2a31 100644 --- a/src/Setup/Setup.c +++ b/src/Setup/Setup.c @@ -329,13 +329,13 @@ void SearchAndDeleteRegistrySubString (HKEY hKey, const wchar_t *subKey, const w // if the string to search for is empty, delete the sub key, otherwise, look for matching value and delete them if (subStringLength == 0) { - if (ERROR_ACCESS_DENIED == SHDeleteKeyW (hKey, ItSubKey->c_str())) + if (ERROR_ACCESS_DENIED == DeleteRegistryKey (hKey, ItSubKey->c_str())) { // grant permission to delete AllowKeyAccess (hKey, ItSubKey->c_str()); // try again - SHDeleteKeyW (hKey, ItSubKey->c_str()); + DeleteRegistryKey (hKey, ItSubKey->c_str()); } } else @@ -427,6 +427,22 @@ BOOL SetPrivilege(LPTSTR szPrivilegeName, BOOL bEnable) return bStatus; } +/* + * Creates a VT_LPWSTR propvariant. + * we use our own implementation to use SHStrDupW function pointer + * that we retreive ourselves to avoid dll hijacking attacks + */ +inline HRESULT VCInitPropVariantFromString(__in PCWSTR psz, __out PROPVARIANT *ppropvar) +{ + ppropvar->vt = VT_LPWSTR; + HRESULT hr = VCStrDupW(psz, &ppropvar->pwszVal); + if (FAILED(hr)) + { + PropVariantInit(ppropvar); + } + return hr; +} + HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments, wchar_t *lpszPathLink, const wchar_t* iconFile, int iconIndex) { @@ -457,7 +473,7 @@ HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments, if (SUCCEEDED (psl->QueryInterface (IID_PPV_ARGS (&propStore)))) { PROPVARIANT propVariant; - if (SUCCEEDED (InitPropVariantFromString (TC_APPLICATION_ID, &propVariant))) + if (SUCCEEDED (VCInitPropVariantFromString (TC_APPLICATION_ID, &propVariant))) { if (SUCCEEDED (propStore->SetValue (PKEY_AppUserModel_ID, propVariant))) propStore->Commit(); @@ -1287,7 +1303,7 @@ BOOL DoRegUninstall (HWND hwndDlg, BOOL bRemoveDeprecated) GetStartupRegKeyName (regk, sizeof(regk)); DeleteRegistryValue (regk, L"VeraCrypt"); - SHDeleteKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc"); + DeleteRegistryKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc"); // enable the SE_TAKE_OWNERSHIP_NAME privilege for this operation SetPrivilege (SE_TAKE_OWNERSHIP_NAME, TRUE); @@ -2447,8 +2463,6 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz lpszTitle = L"VeraCrypt Setup"; - InitCommonControls (); - /* Call InitApp to initialize the common code */ InitApp (hInstance, NULL); diff --git a/src/Setup/Setup.vcproj b/src/Setup/Setup.vcproj index 8e70aa6e..b27b6963 100644 --- a/src/Setup/Setup.vcproj +++ b/src/Setup/Setup.vcproj @@ -43,7 +43,7 @@ Name="VCCLCompilerTool" Optimization="0" AdditionalIncludeDirectories="..\Common;..\Crypto;..\;..\PKCS11" - PreprocessorDefinitions="SETUP;WIN32;DEBUG;_DEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS" + PreprocessorDefinitions="SETUP;WIN32;DEBUG;_DEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS;_ATL_NO_DEFAULT_LIBS" MinimalRebuild="true" BasicRuntimeChecks="3" RuntimeLibrary="1" @@ -65,7 +65,7 @@