Linux/FreeBSD: Add absolute paths for system binaries to prevent path hijacking (CVE-2024-54187, collaboration with SivertPL @__tfr)

This commit fixes a critical security vulnerability where VeraCrypt could be tricked into executing malicious binaries with elevated privileges. The vulnerability has two severe implications: 1. When sudo's secure_path option is disabled, attackers could execute malicious binaries with root privileges by placing them in user-writable PATH directories (e.g., making "sudo mount" execute a malicious mount binary) 2. By placing a malicious sudo binary in PATH, attackers could intercept and steal the user's password when VeraCrypt prompts for sudo authentication The vulnerability allowed attackers to place malicious binaries in user-writable directories that appear in PATH before system directories, potentially leading to privilege escalation and credential theft. Key changes: - Implement FindSystemBinary() to locate executables in secure system paths - Replace all relative binary paths with absolute paths for system commands - Add security checks for executable permissions - Update process execution to use absolute paths for: * sudo * mount * fsck * terminal emulators * file managers * system utilities (hdiutil, mdconfig, vnconfig, lofiadm) The fix ensures all system binaries are called using their absolute paths from secure system directories, preventing both privilege escalation through PATH manipulation and password theft through sudo hijacking. Security: CVE-2024-54187
author: Mounir IDRASSI <mounir.idrassi@idrix.fr> 2025-01-11 17:26:03 +0100
committer: Mounir IDRASSI <mounir.idrassi@idrix.fr> 2025-01-14 14:59:40 +0100
commit: 2cca2e1dafa405addc3af8724baf8563f352ac1c (patch)
tree: e8525cfe9262bbba0c02f14518e1259d5a972e75 /src/Core/Unix/CoreUnix.cpp
parent: 1b35abb191c56fa9890ff3f145fd866bbff361c1 (diff)
download: VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.tar.gz
VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.zip
1 files changed, 82 insertions, 46 deletions
diff --git a/src/Core/Unix/CoreUnix.cpp b/src/Core/Unix/CoreUnix.cpp
index 5cdbfda6..f6827806 100644
--- a/src/Core/Unix/CoreUnix.cpp
+++ b/src/Core/Unix/CoreUnix.cpp
@@ -29,6 +29,41 @@ namespace VeraCrypt
 	static bool SamePath (const string& path1, const string& path2);
 #endif
 
+	// Struct to hold terminal emulator information
+	struct TerminalInfo {
+		const char* name;
+		const char** args;
+		const char** dependency_path;
+	};
+
+	// Popular terminal emulators data and arguments
+	static const char* xterm_args[] = {"-T", "fsck", "-e", NULL};
+
+	static const char* gnome_args[] = {"--title", "fsck", "--", "sh", "-c", NULL};
+	static const char* gnome_deps[] = {"dbus-launch", NULL};
+
+	static const char* konsole_args[] = {"--hold", "-p", "tabtitle=fsck", "-e", "sh", "-c", NULL};
+	static const char* xfce4_args[] = {"--title=fsck", "-x", "sh", "-c", NULL};
+	static const char* mate_args[] = {"--title", "fsck", "--", "sh", "-c", NULL};
+	static const char* lxterminal_args[] = {"--title=fsck", "-e", "sh", "-c", NULL};
+	static const char* terminator_args[] = {"-T", "fsck", "-x", "sh", "-c", NULL};
+	static const char* urxvt_args[] = {"-title", "fsck", "-e", "sh", "-c", NULL};
+	static const char* st_args[] = {"-t", "fsck", "-e", "sh", "-c", NULL};
+
+	// List of popular terminal emulators
+	static const TerminalInfo TERMINALS[] = {
+		{"xterm", xterm_args, NULL},
+		{"gnome-terminal", gnome_args, gnome_deps},
+		{"konsole", konsole_args, NULL},
+		{"xfce4-terminal", xfce4_args, NULL},
+		{"mate-terminal", mate_args, NULL},
+		{"lxterminal", lxterminal_args, NULL},
+		{"terminator", terminator_args, NULL},
+		{"urxvt", urxvt_args, NULL},
+		{"st", st_args, NULL},
+		{NULL, NULL, NULL}
+	};
+
 	CoreUnix::CoreUnix ()
 	{
 		signal (SIGPIPE, SIG_IGN);
@@ -47,14 +82,16 @@ namespace VeraCrypt
 		if (!mountedVolume->MountPoint.IsEmpty())
 			DismountFilesystem (mountedVolume->MountPoint, false);
 
-		list <string> args;
-
-		args.push_back ("-T");
-		args.push_back ("fsck");
+		// Find system fsck first
+		std::string errorMsg;
+		std::string fsckPath = Process::FindSystemBinary("fsck", errorMsg);
+		if (fsckPath.empty()) {
+			throw SystemException(SRC_POS, errorMsg);
+		}
 
-		args.push_back ("-e");
+		list <string> args;
 
-		string xargs = "fsck ";
+		string xargs = fsckPath + " ";  // Use absolute fsck path
 
 #ifdef TC_LINUX
 		if (!repair)
@@ -64,49 +101,48 @@ namespace VeraCrypt
 #endif
 
 		xargs += string (mountedVolume->VirtualDevice) + "; echo '[Done]'; read W";
-		args.push_back (xargs);
+		// Try each terminal
+		for (const TerminalInfo* term = TERMINALS; term->name != NULL; ++term) {
+			errno = 0;
+			std::string termPath = Process::FindSystemBinary(term->name, errorMsg);
+			if (termPath.length() > 0) {
+				// check dependencies
+				if (term->dependency_path) {
+					bool depFound = true;
+					for (const char** dep = term->dependency_path; *dep != NULL; ++dep) {
+						string depPath = Process::FindSystemBinary(*dep, errorMsg);
+						if (depPath.empty()) {
+							depFound = false;
+							break;
+						}
+					}
 
-		try
-		{
-			Process::Execute ("xterm", args, 1000);
-		} catch (TimeOut&) { }
-#ifdef TC_LINUX
-		catch (SystemException&)
-		{
-			// xterm not available. Try with KDE konsole if it exists
-			struct stat sb;
-			if (stat("/usr/bin/konsole", &sb) == 0)
-			{
-				args.clear ();
-				args.push_back ("-p");
-				args.push_back ("tabtitle=fsck");
-				args.push_back ("-e");
-				args.push_back ("sh");
-				args.push_back ("-c");
-				args.push_back (xargs);
-				try
-				{
-					Process::Execute ("konsole", args, 1000);
-				} catch (TimeOut&) { }
-			}
-			else if (stat("/usr/bin/gnome-terminal", &sb) == 0 && stat("/usr/bin/dbus-launch", &sb) == 0)
-			{
-				args.clear ();
-				args.push_back ("--title");
-				args.push_back ("fsck");
-				args.push_back ("--");
-				args.push_back ("sh");
-				args.push_back ("-c");
-				args.push_back (xargs);
-				try
-				{
-					Process::Execute ("gnome-terminal", args, 1000);
-				} catch (TimeOut&) { }
+					if (!depFound) {
+						continue; // dependency not found, skip 
+					}
+				}
+
+				// Build args
+				std::list<std::string> args;
+				for (const char** arg = term->args; *arg != NULL; ++arg) {
+					args.push_back(*arg);
+				}
+				args.push_back(xargs);
+
+				try {
+					Process::Execute (termPath, args, 1000);
+					return;
+				}
+				catch (TimeOut&) {
+					return;
+				}
+				catch (SystemException&) {
+					// Continue to next terminal
+				}
 			}
-			else
-				throw TerminalNotFound();
 		}
-#endif
+
+		throw TerminalNotFound();
 	}
 
 	void CoreUnix::DismountFilesystem (const DirectoryPath &mountPoint, bool force) const
author	Mounir IDRASSI <mounir.idrassi@idrix.fr>	2025-01-11 17:26:03 +0100
committer	Mounir IDRASSI <mounir.idrassi@idrix.fr>	2025-01-14 14:59:40 +0100
commit	2cca2e1dafa405addc3af8724baf8563f352ac1c (patch)
tree	e8525cfe9262bbba0c02f14518e1259d5a972e75 /src/Core/Unix/CoreUnix.cpp
parent	1b35abb191c56fa9890ff3f145fd866bbff361c1 (diff)
download	VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.tar.gz VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.zip