diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2014-07-09 02:20:39 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2014-11-08 23:20:35 +0100 |
commit | f67748ae8e3ebefc1361d6e8a7f8e5020ff68517 (patch) | |
tree | 7598dd5467ab2913b4517745188e5b87f1859078 | |
parent | d6817f941a1218aa1564da158f87ac7ec4434396 (diff) | |
download | VeraCrypt-f67748ae8e3ebefc1361d6e8a7f8e5020ff68517.tar.gz VeraCrypt-f67748ae8e3ebefc1361d6e8a7f8e5020ff68517.zip |
Static Code Analysis : fix non-absolute DLL/process loads that can be hijacked (Microsoft Security Advisory 2269637).
-rw-r--r-- | src/Common/Dlgcode.c | 44 | ||||
-rw-r--r-- | src/Common/Dlgcode.h | 2 | ||||
-rw-r--r-- | src/Common/Format.c | 12 | ||||
-rw-r--r-- | src/Common/Random.c | 10 | ||||
-rw-r--r-- | src/Setup/Setup.c | 9 |
5 files changed, 66 insertions, 11 deletions
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index ad8b4890..54b848dc 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -1844,7 +1844,7 @@ void ExceptionHandlerThread (void *threadArg) if (IDYES == MessageBoxW (0, msg, GetString ("EXCEPTION_REPORT_TITLE"), MB_ICONERROR | MB_YESNO | MB_DEFBUTTON1))
ShellExecute (NULL, "open", urlStr.c_str(), NULL, NULL, SW_SHOWNORMAL);
- else*/
+ else */
UnhandledExceptionFilter (ep);
}
@@ -2276,6 +2276,7 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine) {
WNDCLASS wc;
char langId[6];
+ char dllPath[MAX_PATH];
/* Save the instance handle for later */
hInst = hInstance;
@@ -2441,9 +2442,13 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine) handleWin32Error (NULL);
AbortProcess ("INIT_REGISTER");
}
-
+
+ if (GetSystemDirectory(dllPath, MAX_PATH))
+ strcat(dllPath, "\\Riched20.dll");
+ else
+ strcpy(dllPath, "c:\\Windows\\System32\\Riched20.dll");
// Required for RichEdit text fields to work
- if (LoadLibrary("Riched20.dll") == NULL)
+ if (LoadLibrary(dllPath) == NULL)
{
// This error is fatal e.g. because legal notices could not be displayed
handleWin32Error (NULL);
@@ -3486,7 +3491,7 @@ load: return res;
bPortableModeConfirmed = TRUE;
-
+
hDriver = CreateFile (WIN32_ROOT_PREFIX, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
}
@@ -6951,6 +6956,16 @@ BOOL PrintHardCopyTextUTF16 (wchar_t *text, char *title, int textByteLen) strcat (cl, path);
strcat (cl, "\"");
+ // Get the absolute path for notepad
+ if (GetWindowsDirectory(filename, MAX_PATH))
+ {
+ if (filename[strlen (filename) - 1] != '\\')
+ strcat (filename, "\\");
+ strcat(filename, PRINT_TOOL);
+ }
+ else
+ strcpy(filename, "C:\\Windows\\" PRINT_TOOL);
+
WaitCursor ();
ShellExecute (NULL, "open", PRINT_TOOL, cl, NULL, SW_HIDE);
Sleep (6000);
@@ -9496,7 +9511,7 @@ BOOL IsFileOnReadOnlyFilesystem (const char *path) void CheckFilesystem (int driveNo, BOOL fixErrors)
{
- wchar_t msg[1024], param[1024];
+ wchar_t msg[1024], param[1024], cmdPath[MAX_PATH];
char driveRoot[] = { 'A' + (char) driveNo, ':', 0 };
if (fixErrors && AskWarnYesNo ("FILESYS_REPAIR_CONFIRM_BACKUP") == IDNO)
@@ -9505,7 +9520,14 @@ void CheckFilesystem (int driveNo, BOOL fixErrors) wsprintfW (msg, GetString (fixErrors ? "REPAIRING_FS" : "CHECKING_FS"), driveRoot);
wsprintfW (param, fixErrors ? L"/C echo %s & chkdsk %hs /F /X & pause" : L"/C echo %s & chkdsk %hs & pause", msg, driveRoot);
- ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", L"cmd.exe", param, NULL, SW_SHOW);
+ if (GetSystemDirectoryW(cmdPath, MAX_PATH))
+ {
+ lstrcatW(cmdPath, L"\\cmd.exe");
+ }
+ else
+ lstrcpyW(cmdPath, L"C:\\Windows\\System32\\cmd.exe");
+
+ ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", cmdPath, param, NULL, SW_SHOW);
}
@@ -9701,7 +9723,15 @@ BOOL IsWindowsIsoBurnerAvailable () BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath)
{
- int r = (int) ShellExecute (hwnd, "open", ISO_BURNER_TOOL, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL);
+ char path[MAX_PATH*2] = { 0 };
+ int r;
+
+ if (SUCCEEDED(SHGetFolderPath (NULL, CSIDL_SYSTEM, NULL, 0, path)))
+ strcat (path, "\\" ISO_BURNER_TOOL);
+ else
+ strcpy (path, "C:\\Windows\\System32\\" ISO_BURNER_TOOL);
+
+ r = (int) ShellExecute (hwnd, "open", path, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL);
if (r <= 32)
{
diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h index 2c3ad688..74e1a59a 100644 --- a/src/Common/Dlgcode.h +++ b/src/Common/Dlgcode.h @@ -218,7 +218,7 @@ typedef struct #define YES_NO MB_YESNO
#define ISO_BURNER_TOOL "isoburn.exe"
-#define PRINT_TOOL "notepad"
+#define PRINT_TOOL "notepad.exe"
void cleanup ( void );
void LowerCaseCopy ( char *lpszDest , const char *lpszSource );
diff --git a/src/Common/Format.c b/src/Common/Format.c index 49365a1b..25f20acd 100644 --- a/src/Common/Format.c +++ b/src/Common/Format.c @@ -795,10 +795,20 @@ BOOLEAN __stdcall FormatExCallback (int command, DWORD subCommand, PVOID paramet BOOL FormatNtfs (int driveNo, int clusterSize)
{
+ char dllPath[MAX_PATH] = {0};
WCHAR dir[8] = { (WCHAR) driveNo + 'A', 0 };
PFORMATEX FormatEx;
- HMODULE hModule = LoadLibrary ("fmifs.dll");
+ HMODULE hModule;
int i;
+
+ if (GetSystemDirectory (dllPath, MAX_PATH))
+ {
+ strcat(dllPath, "\\fmifs.dll");
+ }
+ else
+ strcpy(dllPath, "C:\\Windows\\System32\\fmifs.dll");
+
+ hModule = LoadLibrary (dllPath);
if (hModule == NULL)
return FALSE;
diff --git a/src/Common/Random.c b/src/Common/Random.c index ceb14e33..c897e3b7 100644 --- a/src/Common/Random.c +++ b/src/Common/Random.c @@ -573,7 +573,15 @@ BOOL SlowPoll (void) {
/* Obtain a handle to the module containing the Lan Manager
functions */
- hNetAPI32 = LoadLibrary ("NETAPI32.DLL");
+ char dllPath[MAX_PATH];
+ if (GetSystemDirectory (dllPath, MAX_PATH))
+ {
+ strcat(dllPath, "\\NETAPI32.DLL");
+ }
+ else
+ strcpy(dllPath, "C:\\Windows\\System32\\NETAPI32.DLL");
+
+ hNetAPI32 = LoadLibrary (dllPath);
if (hNetAPI32 != NULL)
{
/* Now get pointers to the functions */
diff --git a/src/Setup/Setup.c b/src/Setup/Setup.c index c0fffb77..5decf595 100644 --- a/src/Setup/Setup.c +++ b/src/Setup/Setup.c @@ -2012,7 +2012,14 @@ int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, char *lpszComm }
// System Restore
- SystemRestoreDll = LoadLibrary ("srclient.dll");
+ char dllPath[MAX_PATH];
+ if (GetSystemDirectory (dllPath, MAX_PATH))
+ {
+ strcat(dllPath, "\\srclient.dll");
+ }
+ else
+ strcpy(dllPath, "C:\\Windows\\System32\\srclient.dll");
+ SystemRestoreDll = LoadLibrary (dllPath);
if (!bUninstall)
{
|