mirrors/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-05-22 04:21:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Windows: Fix Dll hijacking vulnerability affecting installer that allows arbitrary code execution with elevation of privilege (CVE-2016-1281)

Browse Source
This commit is contained in:
Mounir IDRASSI
2016-01-02 17:54:55 +01:00
parent 6cb1eefc49
commit 5872be28a2
13 changed files with 221 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/Common/BootEncryption.cpp
View File

@@ -13,7 +13,6 @@
#include "Tcdefs.h"
#include "Platform/Finally.h"
#include "Platform/ForEach.h"
#include <Setupapi.h>
#include <devguid.h>
#include <io.h>
#include <shlobj.h>
@@ -810,16 +809,6 @@ namespace VeraCrypt
}
wstring BootEncryption::GetTempPath ()
{
wchar_t tempPath[MAX_PATH];
DWORD tempLen = ::GetTempPath (ARRAYSIZE (tempPath), tempPath);
if (tempLen == 0 || tempLen > ARRAYSIZE (tempPath))
throw ParameterIncorrect (SRC_POS);
return wstring (tempPath);
}
uint16 BootEncryption::GetInstalledBootLoaderVersion ()
{
@@ -1953,7 +1942,7 @@ namespace VeraCrypt
case VolumeFilter:
filter = "veracrypt";
filterReg = "UpperFilters";
regKey = SetupDiOpenClassRegKey (deviceClassGuid, KEY_READ | KEY_WRITE);
regKey = OpenDeviceClassRegKey (deviceClassGuid);
throw_sys_if (regKey == INVALID_HANDLE_VALUE);
break;
@@ -1994,24 +1983,7 @@ namespace VeraCrypt
}
else
{
wstring infFileName = GetTempPath() + L"\\veracrypt_driver_setup.inf";
File infFile (infFileName, false, true);
finally_do_arg (wstring, infFileName, { DeleteFile (finally_arg.c_str()); });
string infTxt = "[veracrypt]\r\n"
+ string (registerFilter ? "Add" : "Del") + "Reg=veracrypt_reg\r\n\r\n"
"[veracrypt_reg]\r\n"
"HKR,,\"" + filterReg + "\",0x0001" + string (registerFilter ? "0008" : "8002") + ",\"" + filter + "\"\r\n";
infFile.Write ((byte *) infTxt.c_str(), (DWORD) infTxt.size());
infFile.Close();
HINF hInf = SetupOpenInfFile (infFileName.c_str(), NULL, INF_STYLE_OLDNT | INF_STYLE_WIN4, NULL);
throw_sys_if (hInf == INVALID_HANDLE_VALUE);
finally_do_arg (HINF, hInf, { SetupCloseInfFile (finally_arg); });
throw_sys_if (!SetupInstallFromInfSection (ParentWindow, hInf, L"veracrypt", SPINST_REGISTRY, regKey, NULL, 0, NULL, NULL, NULL, NULL));
RegisterDriverInf (registerFilter, filter, filterReg, ParentWindow, regKey);
}
}
@@ -2304,7 +2276,7 @@ namespace VeraCrypt
}
// Temporary files
if (towupper (GetTempPath()[0]) != windowsDrive)
if (towupper (GetTempPathString()[0]) != windowsDrive)
{
throw ErrorException (wstring (GetString ("TEMP_NOT_ON_SYS_PARTITION"))
+ GetString ("LEAKS_OUTSIDE_SYSPART_UNIVERSAL_EXPLANATION"), SRC_POS);