mirrors
/
VeraCrypt
mirror of https://github.com/veracrypt/VeraCrypt.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Static Code Analysis : fix non-absolute DLL/process loads that can be hijacked (Microsoft Security Advisory 2269637).

This commit is contained in:
Mounir IDRASSI 2014-07-09 02:20:39 +02:00
parent d6817f941a
commit f67748ae8e
5 changed files with 66 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
src/Common/Dlgcode.c
View File

@ -1844,7 +1844,7 @@ void ExceptionHandlerThread (void *threadArg)
if (IDYES == MessageBoxW (0, msg, GetString ("EXCEPTION_REPORT_TITLE"), MB_ICONERROR | MB_YESNO | MB_DEFBUTTON1)) if (IDYES == MessageBoxW (0, msg, GetString ("EXCEPTION_REPORT_TITLE"), MB_ICONERROR | MB_YESNO | MB_DEFBUTTON1))
ShellExecute (NULL, "open", urlStr.c_str(), NULL, NULL, SW_SHOWNORMAL); ShellExecute (NULL, "open", urlStr.c_str(), NULL, NULL, SW_SHOWNORMAL);
else*/ else */
UnhandledExceptionFilter (ep); UnhandledExceptionFilter (ep);
} }
@ -2276,6 +2276,7 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine)
{ {
WNDCLASS wc; WNDCLASS wc;
char langId[6]; char langId[6];
char dllPath[MAX_PATH];
/* Save the instance handle for later */ /* Save the instance handle for later */
hInst = hInstance; hInst = hInstance;
@ -2441,9 +2442,13 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine)
handleWin32Error (NULL); handleWin32Error (NULL);
AbortProcess ("INIT_REGISTER"); AbortProcess ("INIT_REGISTER");
} }
if (GetSystemDirectory(dllPath, MAX_PATH))
strcat(dllPath, "\\Riched20.dll");
else
strcpy(dllPath, "c:\\Windows\\System32\\Riched20.dll");
// Required for RichEdit text fields to work // Required for RichEdit text fields to work
if (LoadLibrary("Riched20.dll") == NULL) if (LoadLibrary(dllPath) == NULL)
{ {
// This error is fatal e.g. because legal notices could not be displayed // This error is fatal e.g. because legal notices could not be displayed
handleWin32Error (NULL); handleWin32Error (NULL);
@ -3486,7 +3491,7 @@ load:
return res; return res;
bPortableModeConfirmed = TRUE; bPortableModeConfirmed = TRUE;
hDriver = CreateFile (WIN32_ROOT_PREFIX, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); hDriver = CreateFile (WIN32_ROOT_PREFIX, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} }
@ -6951,6 +6956,16 @@ BOOL PrintHardCopyTextUTF16 (wchar_t *text, char *title, int textByteLen)
strcat (cl, path); strcat (cl, path);
strcat (cl, "\""); strcat (cl, "\"");
// Get the absolute path for notepad
if (GetWindowsDirectory(filename, MAX_PATH))
{
if (filename[strlen (filename) - 1] != '\\')
strcat (filename, "\\");
strcat(filename, PRINT_TOOL);
}
else
strcpy(filename, "C:\\Windows\\" PRINT_TOOL);
WaitCursor (); WaitCursor ();
ShellExecute (NULL, "open", PRINT_TOOL, cl, NULL, SW_HIDE); ShellExecute (NULL, "open", PRINT_TOOL, cl, NULL, SW_HIDE);
Sleep (6000); Sleep (6000);
@ -9496,7 +9511,7 @@ BOOL IsFileOnReadOnlyFilesystem (const char *path)
void CheckFilesystem (int driveNo, BOOL fixErrors) void CheckFilesystem (int driveNo, BOOL fixErrors)
{ {
wchar_t msg[1024], param[1024]; wchar_t msg[1024], param[1024], cmdPath[MAX_PATH];
char driveRoot[] = { 'A' + (char) driveNo, ':', 0 }; char driveRoot[] = { 'A' + (char) driveNo, ':', 0 };
if (fixErrors && AskWarnYesNo ("FILESYS_REPAIR_CONFIRM_BACKUP") == IDNO) if (fixErrors && AskWarnYesNo ("FILESYS_REPAIR_CONFIRM_BACKUP") == IDNO)
@ -9505,7 +9520,14 @@ void CheckFilesystem (int driveNo, BOOL fixErrors)
wsprintfW (msg, GetString (fixErrors ? "REPAIRING_FS" : "CHECKING_FS"), driveRoot); wsprintfW (msg, GetString (fixErrors ? "REPAIRING_FS" : "CHECKING_FS"), driveRoot);
wsprintfW (param, fixErrors ? L"/C echo %s & chkdsk %hs /F /X & pause" : L"/C echo %s & chkdsk %hs & pause", msg, driveRoot); wsprintfW (param, fixErrors ? L"/C echo %s & chkdsk %hs /F /X & pause" : L"/C echo %s & chkdsk %hs & pause", msg, driveRoot);
ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", L"cmd.exe", param, NULL, SW_SHOW); if (GetSystemDirectoryW(cmdPath, MAX_PATH))
{
lstrcatW(cmdPath, L"\\cmd.exe");
}
else
lstrcpyW(cmdPath, L"C:\\Windows\\System32\\cmd.exe");
ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", cmdPath, param, NULL, SW_SHOW);
} }
@ -9701,7 +9723,15 @@ BOOL IsWindowsIsoBurnerAvailable ()
BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath) BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath)
{ {
int r = (int) ShellExecute (hwnd, "open", ISO_BURNER_TOOL, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL); char path[MAX_PATH*2] = { 0 };
int r;
if (SUCCEEDED(SHGetFolderPath (NULL, CSIDL_SYSTEM, NULL, 0, path)))
strcat (path, "\\" ISO_BURNER_TOOL);
else
strcpy (path, "C:\\Windows\\System32\\" ISO_BURNER_TOOL);
r = (int) ShellExecute (hwnd, "open", path, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL);
if (r <= 32) if (r <= 32)
{ {

2
src/Common/Dlgcode.h
View File

@ -218,7 +218,7 @@ typedef struct
#define YES_NO MB_YESNO #define YES_NO MB_YESNO
#define ISO_BURNER_TOOL "isoburn.exe" #define ISO_BURNER_TOOL "isoburn.exe"
#define PRINT_TOOL "notepad" #define PRINT_TOOL "notepad.exe"
void cleanup ( void ); void cleanup ( void );
void LowerCaseCopy ( char *lpszDest , const char *lpszSource ); void LowerCaseCopy ( char *lpszDest , const char *lpszSource );

12
src/Common/Format.c
View File

@ -795,10 +795,20 @@ BOOLEAN __stdcall FormatExCallback (int command, DWORD subCommand, PVOID paramet
BOOL FormatNtfs (int driveNo, int clusterSize) BOOL FormatNtfs (int driveNo, int clusterSize)
{ {
char dllPath[MAX_PATH] = {0};
WCHAR dir[8] = { (WCHAR) driveNo + 'A', 0 }; WCHAR dir[8] = { (WCHAR) driveNo + 'A', 0 };
PFORMATEX FormatEx; PFORMATEX FormatEx;
HMODULE hModule = LoadLibrary ("fmifs.dll"); HMODULE hModule;
int i; int i;
if (GetSystemDirectory (dllPath, MAX_PATH))
{
strcat(dllPath, "\\fmifs.dll");
}
else
strcpy(dllPath, "C:\\Windows\\System32\\fmifs.dll");
hModule = LoadLibrary (dllPath);
if (hModule == NULL) if (hModule == NULL)
return FALSE; return FALSE;

10
src/Common/Random.c
View File

@ -573,7 +573,15 @@ BOOL SlowPoll (void)
{ {
/* Obtain a handle to the module containing the Lan Manager /* Obtain a handle to the module containing the Lan Manager
functions */ functions */
hNetAPI32 = LoadLibrary ("NETAPI32.DLL"); char dllPath[MAX_PATH];
if (GetSystemDirectory (dllPath, MAX_PATH))
{
strcat(dllPath, "\\NETAPI32.DLL");
}
else
strcpy(dllPath, "C:\\Windows\\System32\\NETAPI32.DLL");
hNetAPI32 = LoadLibrary (dllPath);
if (hNetAPI32 != NULL) if (hNetAPI32 != NULL)
{ {
/* Now get pointers to the functions */ /* Now get pointers to the functions */

9
src/Setup/Setup.c
View File

@ -2012,7 +2012,14 @@ int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, char *lpszComm
} }
// System Restore // System Restore
SystemRestoreDll = LoadLibrary ("srclient.dll"); char dllPath[MAX_PATH];
if (GetSystemDirectory (dllPath, MAX_PATH))
{
strcat(dllPath, "\\srclient.dll");
}
else
strcpy(dllPath, "C:\\Windows\\System32\\srclient.dll");
SystemRestoreDll = LoadLibrary (dllPath);
if (!bUninstall) if (!bUninstall)
{ {