diff options
| author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2025-01-11 17:26:03 +0100 |
|---|---|---|
| committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2025-01-14 14:59:40 +0100 |
| commit | 2cca2e1dafa405addc3af8724baf8563f352ac1c (patch) | |
| tree | e8525cfe9262bbba0c02f14518e1259d5a972e75 /src/Platform/Unix | |
| parent | 1b35abb191c56fa9890ff3f145fd866bbff361c1 (diff) | |
| download | VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.tar.gz VeraCrypt-2cca2e1dafa405addc3af8724baf8563f352ac1c.zip | |
Linux/FreeBSD: Add absolute paths for system binaries to prevent path hijacking (CVE-2024-54187, collaboration with SivertPL @__tfr)
This commit fixes a critical security vulnerability where VeraCrypt could be tricked into executing malicious binaries with elevated privileges. The vulnerability has two severe implications:
1. When sudo's secure_path option is disabled, attackers could execute malicious binaries with root privileges by placing them in user-writable PATH directories (e.g., making "sudo mount" execute a malicious mount binary)
2. By placing a malicious sudo binary in PATH, attackers could intercept and steal the user's password when VeraCrypt prompts for sudo authentication
The vulnerability allowed attackers to place malicious binaries in user-writable directories that appear in PATH before system directories, potentially leading to privilege escalation and credential theft.
Key changes:
- Implement FindSystemBinary() to locate executables in secure system paths
- Replace all relative binary paths with absolute paths for system commands
- Add security checks for executable permissions
- Update process execution to use absolute paths for:
* sudo
* mount
* fsck
* terminal emulators
* file managers
* system utilities (hdiutil, mdconfig, vnconfig, lofiadm)
The fix ensures all system binaries are called using their absolute paths from secure system directories, preventing both privilege escalation through PATH manipulation and password theft through sudo hijacking.
Security: CVE-2024-54187
Diffstat (limited to 'src/Platform/Unix')
| -rw-r--r-- | src/Platform/Unix/Process.cpp | 63 | ||||
| -rw-r--r-- | src/Platform/Unix/Process.h | 2 |
2 files changed, 64 insertions, 1 deletions
diff --git a/src/Platform/Unix/Process.cpp b/src/Platform/Unix/Process.cpp index 45106918..0c2a9c59 100644 --- a/src/Platform/Unix/Process.cpp +++ b/src/Platform/Unix/Process.cpp @@ -27,12 +27,73 @@ namespace VeraCrypt { - string Process::Execute (const string &processName, const list <string> &arguments, int timeOut, ProcessExecFunctor *execFunctor, const Buffer *inputData) + + bool Process::IsExecutable(const std::string& path) { + struct stat sb; + if (stat(path.c_str(), &sb) == 0) { + return S_ISREG(sb.st_mode) && (sb.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)); + } + return false; + } + + // Find executable in system paths + std::string Process::FindSystemBinary(const char* name, std::string& errorMsg) { + if (!name) { + errno = EINVAL; // Invalid argument + errorMsg = "Invalid input: name or paths is NULL"; + return ""; + } + + // Default system directories to search for executables +#ifdef TC_MACOSX + const char* defaultDirs[] = {"/usr/local/bin", "/usr/bin", "/bin", "/user/sbin", "/sbin"}; +#elseif TC_FREEBSD + const char* defaultDirs[] = {"/sbin", "/bin", "/usr/sbin", "/usr/bin", "/usr/local/sbin", "/usr/local/bin"}; +#elseif TC_OPENBSD + const char* defaultDirs[] = {"/sbin", "/bin", "/usr/sbin", "/usr/bin", "/usr/X11R6/bin", "/usr/local/sbin", "/usr/local/bin"}; +#else + const char* defaultDirs[] = {"/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"}; +#endif + const size_t defaultDirCount = sizeof(defaultDirs) / sizeof(defaultDirs[0]); + + std::string currentPath(name); + + // If path doesn't start with '/', prepend default directories + if (currentPath[0] != '/') { + for (size_t i = 0; i < defaultDirCount; ++i) { + std::string combinedPath = std::string(defaultDirs[i]) + "/" + currentPath; + if (IsExecutable(combinedPath)) { + return combinedPath; + } + } + } else if (IsExecutable(currentPath)) { + return currentPath; + } + + // Prepare error message + errno = ENOENT; // No such file or directory + errorMsg = std::string(name) + " not found in system directories"; + return ""; + } + + string Process::Execute (const string &processNameArg, const list <string> &arguments, int timeOut, ProcessExecFunctor *execFunctor, const Buffer *inputData) { char *args[32]; if (array_capacity (args) <= (arguments.size() + 1)) throw ParameterTooLarge (SRC_POS); + // if execFunctor is null and processName is not absolute path, find it in system paths + string processName; + if (!execFunctor && (processNameArg[0] != '/')) + { + std::string errorMsg; + processName = FindSystemBinary(processNameArg.c_str(), errorMsg); + if (processName.empty()) + throw SystemException(SRC_POS, errorMsg); + } + else + processName = processNameArg; + #if 0 stringstream dbg; dbg << "exec " << processName; diff --git a/src/Platform/Unix/Process.h b/src/Platform/Unix/Process.h index a796ed6a..83215956 100644 --- a/src/Platform/Unix/Process.h +++ b/src/Platform/Unix/Process.h @@ -31,6 +31,8 @@ namespace VeraCrypt Process (); virtual ~Process (); + static bool IsExecutable(const std::string& path); + static std::string FindSystemBinary(const char* name, std::string& errorMsg); static string Execute (const string &processName, const list <string> &arguments, int timeOut = -1, ProcessExecFunctor *execFunctor = nullptr, const Buffer *inputData = nullptr); protected: |