diff options
| author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2025-01-11 17:26:03 +0100 |
|---|---|---|
| committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2025-01-14 14:59:40 +0100 |
| commit | 2cca2e1dafa405addc3af8724baf8563f352ac1c (patch) | |
| tree | e8525cfe9262bbba0c02f14518e1259d5a972e75 /src/Core/Unix | |
| parent | 1b35abb191c56fa9890ff3f145fd866bbff361c1 (diff) | |
| download | VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.tar.gz VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.zip | |
Linux/FreeBSD: Add absolute paths for system binaries to prevent path hijacking (CVE-2024-54187, collaboration with SivertPL @__tfr)
This commit fixes a critical security vulnerability where VeraCrypt could be tricked into executing malicious binaries with elevated privileges. The vulnerability has two severe implications:
1. When sudo's secure_path option is disabled, attackers could execute malicious binaries with root privileges by placing them in user-writable PATH directories (e.g., making "sudo mount" execute a malicious mount binary)
2. By placing a malicious sudo binary in PATH, attackers could intercept and steal the user's password when VeraCrypt prompts for sudo authentication
The vulnerability allowed attackers to place malicious binaries in user-writable directories that appear in PATH before system directories, potentially leading to privilege escalation and credential theft.
Key changes:
- Implement FindSystemBinary() to locate executables in secure system paths
- Replace all relative binary paths with absolute paths for system commands
- Add security checks for executable permissions
- Update process execution to use absolute paths for:
* sudo
* mount
* fsck
* terminal emulators
* file managers
* system utilities (hdiutil, mdconfig, vnconfig, lofiadm)
The fix ensures all system binaries are called using their absolute paths from secure system directories, preventing both privilege escalation through PATH manipulation and password theft through sudo hijacking.
Security: CVE-2024-54187
Diffstat (limited to 'src/Core/Unix')
| -rw-r--r-- | src/Core/Unix/CoreService.cpp | 30 | ||||
| -rw-r--r-- | src/Core/Unix/CoreUnix.cpp | 128 | ||||
| -rw-r--r-- | src/Core/Unix/FreeBSD/CoreFreeBSD.cpp | 4 | ||||
| -rw-r--r-- | src/Core/Unix/MacOSX/CoreMacOSX.cpp | 10 | ||||
| -rw-r--r-- | src/Core/Unix/OpenBSD/CoreOpenBSD.cpp | 4 | ||||
| -rw-r--r-- | src/Core/Unix/Solaris/CoreSolaris.cpp | 4 |
6 files changed, 117 insertions, 63 deletions
diff --git a/src/Core/Unix/CoreService.cpp b/src/Core/Unix/CoreService.cpp index 7071f71c..c2eb2bf0 100644 --- a/src/Core/Unix/CoreService.cpp +++ b/src/Core/Unix/CoreService.cpp @@ -300,7 +300,14 @@ namespace VeraCrypt // We are using -n to avoid prompting the user for a password. // We are redirecting stderr to stdout and discarding both to avoid any output. // This approach also works on newer macOS versions (12.0 and later). - FILE* pipe = popen("sudo -n -l > /dev/null 2>&1", "r"); // redirect stderr to stdout and discard both. + std::string errorMsg; + + string sudoAbsolutePath = Process::FindSystemBinary("sudo", errorMsg); + if (sudoAbsolutePath.empty()) + throw SystemException(SRC_POS, errorMsg); + + std::string popenCommand = sudoAbsolutePath + " -n -l > /dev/null 2>&1"; // We redirect stderr to stdout (2>&1) to be able to catch the result of the command + FILE* pipe = popen(popenCommand.c_str(), "r"); if (pipe) { // We only care about the exit code @@ -396,15 +403,26 @@ namespace VeraCrypt { try { + // Throw exception if sudo is not found in secure locations + std::string errorMsg; + string sudoPath = Process::FindSystemBinary("sudo", errorMsg); + if (sudoPath.empty()) + throw SystemException(SRC_POS, errorMsg); + + string appPath = request.ApplicationExecutablePath; + // if appPath is empty or not absolute, use FindSystemBinary to get the full path of veracrpyt executable + if (appPath.empty() || appPath[0] != '/') + { + appPath = Process::FindSystemBinary("veracrypt", errorMsg); + if (appPath.empty()) + throw SystemException(SRC_POS, errorMsg); + } + throw_sys_if (dup2 (inPipe->GetReadFD(), STDIN_FILENO) == -1); throw_sys_if (dup2 (outPipe->GetWriteFD(), STDOUT_FILENO) == -1); throw_sys_if (dup2 (errPipe.GetWriteFD(), STDERR_FILENO) == -1); - string appPath = request.ApplicationExecutablePath; - if (appPath.empty()) - appPath = "veracrypt"; - - const char *args[] = { "sudo", "-S", "-p", "", appPath.c_str(), TC_CORE_SERVICE_CMDLINE_OPTION, nullptr }; + const char *args[] = { sudoPath.c_str(), "-S", "-p", "", appPath.c_str(), TC_CORE_SERVICE_CMDLINE_OPTION, nullptr }; execvp (args[0], ((char* const*) args)); throw SystemException (SRC_POS, args[0]); } diff --git a/src/Core/Unix/CoreUnix.cpp b/src/Core/Unix/CoreUnix.cpp index 5cdbfda6..f6827806 100644 --- a/src/Core/Unix/CoreUnix.cpp +++ b/src/Core/Unix/CoreUnix.cpp @@ -29,6 +29,41 @@ namespace VeraCrypt static bool SamePath (const string& path1, const string& path2); #endif + // Struct to hold terminal emulator information + struct TerminalInfo { + const char* name; + const char** args; + const char** dependency_path; + }; + + // Popular terminal emulators data and arguments + static const char* xterm_args[] = {"-T", "fsck", "-e", NULL}; + + static const char* gnome_args[] = {"--title", "fsck", "--", "sh", "-c", NULL}; + static const char* gnome_deps[] = {"dbus-launch", NULL}; + + static const char* konsole_args[] = {"--hold", "-p", "tabtitle=fsck", "-e", "sh", "-c", NULL}; + static const char* xfce4_args[] = {"--title=fsck", "-x", "sh", "-c", NULL}; + static const char* mate_args[] = {"--title", "fsck", "--", "sh", "-c", NULL}; + static const char* lxterminal_args[] = {"--title=fsck", "-e", "sh", "-c", NULL}; + static const char* terminator_args[] = {"-T", "fsck", "-x", "sh", "-c", NULL}; + static const char* urxvt_args[] = {"-title", "fsck", "-e", "sh", "-c", NULL}; + static const char* st_args[] = {"-t", "fsck", "-e", "sh", "-c", NULL}; + + // List of popular terminal emulators + static const TerminalInfo TERMINALS[] = { + {"xterm", xterm_args, NULL}, + {"gnome-terminal", gnome_args, gnome_deps}, + {"konsole", konsole_args, NULL}, + {"xfce4-terminal", xfce4_args, NULL}, + {"mate-terminal", mate_args, NULL}, + {"lxterminal", lxterminal_args, NULL}, + {"terminator", terminator_args, NULL}, + {"urxvt", urxvt_args, NULL}, + {"st", st_args, NULL}, + {NULL, NULL, NULL} + }; + CoreUnix::CoreUnix () { signal (SIGPIPE, SIG_IGN); @@ -47,14 +82,16 @@ namespace VeraCrypt if (!mountedVolume->MountPoint.IsEmpty()) DismountFilesystem (mountedVolume->MountPoint, false); - list <string> args; - - args.push_back ("-T"); - args.push_back ("fsck"); + // Find system fsck first + std::string errorMsg; + std::string fsckPath = Process::FindSystemBinary("fsck", errorMsg); + if (fsckPath.empty()) { + throw SystemException(SRC_POS, errorMsg); + } - args.push_back ("-e"); + list <string> args; - string xargs = "fsck "; + string xargs = fsckPath + " "; // Use absolute fsck path #ifdef TC_LINUX if (!repair) @@ -64,49 +101,48 @@ namespace VeraCrypt #endif xargs += string (mountedVolume->VirtualDevice) + "; echo '[Done]'; read W"; - args.push_back (xargs); + // Try each terminal + for (const TerminalInfo* term = TERMINALS; term->name != NULL; ++term) { + errno = 0; + std::string termPath = Process::FindSystemBinary(term->name, errorMsg); + if (termPath.length() > 0) { + // check dependencies + if (term->dependency_path) { + bool depFound = true; + for (const char** dep = term->dependency_path; *dep != NULL; ++dep) { + string depPath = Process::FindSystemBinary(*dep, errorMsg); + if (depPath.empty()) { + depFound = false; + break; + } + } - try - { - Process::Execute ("xterm", args, 1000); - } catch (TimeOut&) { } -#ifdef TC_LINUX - catch (SystemException&) - { - // xterm not available. Try with KDE konsole if it exists - struct stat sb; - if (stat("/usr/bin/konsole", &sb) == 0) - { - args.clear (); - args.push_back ("-p"); - args.push_back ("tabtitle=fsck"); - args.push_back ("-e"); - args.push_back ("sh"); - args.push_back ("-c"); - args.push_back (xargs); - try - { - Process::Execute ("konsole", args, 1000); - } catch (TimeOut&) { } - } - else if (stat("/usr/bin/gnome-terminal", &sb) == 0 && stat("/usr/bin/dbus-launch", &sb) == 0) - { - args.clear (); - args.push_back ("--title"); - args.push_back ("fsck"); - args.push_back ("--"); - args.push_back ("sh"); - args.push_back ("-c"); - args.push_back (xargs); - try - { - Process::Execute ("gnome-terminal", args, 1000); - } catch (TimeOut&) { } + if (!depFound) { + continue; // dependency not found, skip + } + } + + // Build args + std::list<std::string> args; + for (const char** arg = term->args; *arg != NULL; ++arg) { + args.push_back(*arg); + } + args.push_back(xargs); + + try { + Process::Execute (termPath, args, 1000); + return; + } + catch (TimeOut&) { + return; + } + catch (SystemException&) { + // Continue to next terminal + } } - else - throw TerminalNotFound(); } -#endif + + throw TerminalNotFound(); } void CoreUnix::DismountFilesystem (const DirectoryPath &mountPoint, bool force) const diff --git a/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp b/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp index 0192bcff..8f5b8048 100644 --- a/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp +++ b/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp @@ -46,7 +46,7 @@ namespace VeraCrypt args.push_back ("-f"); args.push_back (filePath); - string dev = StringConverter::Trim (Process::Execute ("mdconfig", args)); + string dev = StringConverter::Trim (Process::Execute ("/sbin/mdconfig", args)); if (dev.find ("/") == string::npos) dev = string ("/dev/") + dev; @@ -65,7 +65,7 @@ namespace VeraCrypt { try { - Process::Execute ("mdconfig", args); + Process::Execute ("/sbin/mdconfig", args); break; } catch (ExecutedProcessFailed&) diff --git a/src/Core/Unix/MacOSX/CoreMacOSX.cpp b/src/Core/Unix/MacOSX/CoreMacOSX.cpp index ccbd5a58..762552de 100644 --- a/src/Core/Unix/MacOSX/CoreMacOSX.cpp +++ b/src/Core/Unix/MacOSX/CoreMacOSX.cpp @@ -47,7 +47,7 @@ namespace VeraCrypt try { - Process::Execute ("hdiutil", args); + Process::Execute ("/usr/bin/hdiutil", args); } catch (ExecutedProcessFailed &e) { @@ -84,7 +84,7 @@ namespace VeraCrypt { try { - Process::Execute ("umount", args); + Process::Execute ("/usr/bin/umount", args); break; } catch (ExecutedProcessFailed&) @@ -114,7 +114,7 @@ namespace VeraCrypt else args.push_back ("/System/Applications/Utilities/Disk Utility.app"); - Process::Execute ("open", args); + Process::Execute ("/usr/bin/open", args); } void CoreMacOSX::MountAuxVolumeImage (const DirectoryPath &auxMountPoint, const MountOptions &options) const @@ -190,7 +190,7 @@ namespace VeraCrypt { try { - xml = Process::Execute ("hdiutil", args); + xml = Process::Execute ("/usr/bin/hdiutil", args); break; } catch (ExecutedProcessFailed &e) @@ -233,7 +233,7 @@ namespace VeraCrypt args.push_back (volImage); args.push_back ("-force"); - Process::Execute ("hdiutil", args); + Process::Execute ("/usr/bin/hdiutil", args); } catch (ExecutedProcessFailed&) { } throw; diff --git a/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp b/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp index b3ff3bd1..161d4a79 100644 --- a/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp +++ b/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp @@ -75,7 +75,7 @@ namespace VeraCrypt args.push_back (filePath); - Process::Execute ("vnconfig", args); + Process::Execute ("/sbin/vnconfig", args); return "/dev/" + freePath.str() + "c"; } @@ -90,7 +90,7 @@ namespace VeraCrypt { try { - Process::Execute ("vnconfig", args); + Process::Execute ("/sbin/vnconfig", args); break; } catch (ExecutedProcessFailed&) diff --git a/src/Core/Unix/Solaris/CoreSolaris.cpp b/src/Core/Unix/Solaris/CoreSolaris.cpp index e840cceb..c436be8f 100644 --- a/src/Core/Unix/Solaris/CoreSolaris.cpp +++ b/src/Core/Unix/Solaris/CoreSolaris.cpp @@ -35,7 +35,7 @@ namespace VeraCrypt args.push_back ("-a"); args.push_back (filePath); - return StringConverter::Trim (Process::Execute ("lofiadm", args)); + return StringConverter::Trim (Process::Execute ("/usr/sbin/lofiadm", args)); } void CoreSolaris::DetachLoopDevice (const DevicePath &devicePath) const @@ -48,7 +48,7 @@ namespace VeraCrypt { try { - Process::Execute ("lofiadm", args); + Process::Execute ("/usr/sbin/lofiadm", args); break; } catch (ExecutedProcessFailed&) |