From 078d1410dd3307956638d9c90f40ec15032ef01f Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Sat, 11 Jan 2025 23:22:40 +0100
Subject: Linux/FreeBSD: Prevent mounting volumes on system directories and
 PATH (CVE-2025-23021, reported by SivertPL @__tfr)

Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.

Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
  This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
  This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points

To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint

Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.

Security: CVE-2025-23021
---
 src/Core/CoreBase.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src/Core/CoreBase.h')

diff --git a/src/Core/CoreBase.h b/src/Core/CoreBase.h
index 07d0f881..e4ff0a94 100644
--- a/src/Core/CoreBase.h
+++ b/src/Core/CoreBase.h
@@ -80,6 +80,16 @@ namespace VeraCrypt
 		virtual void ForceUseDummySudoPassword (bool useDummySudoPassword) { UseDummySudoPassword = useDummySudoPassword;}
 		virtual bool GetUseDummySudoPassword () const { return UseDummySudoPassword;}
 
+#if defined(TC_UNIX)
+		virtual bool IsProtectedSystemDirectory (const DirectoryPath &directory) const = 0;
+		virtual bool IsDirectoryOnUserPath(const DirectoryPath &directory) const = 0;
+		virtual void SetAllowInsecureMount (bool allowInsecureMount) { AllowInsecureMount = allowInsecureMount; }
+		virtual bool GetAllowInsecureMount () const { return AllowInsecureMount; }
+#endif
+
+		virtual void SetUserEnvPATH (const string &path) { UserEnvPATH = path; }
+		virtual string GetUserEnvPATH () const { return UserEnvPATH; }
+
 		Event VolumeDismountedEvent;
 		Event VolumeMountedEvent;
 		Event WarningEvent;
@@ -89,8 +99,13 @@ namespace VeraCrypt
 
 		bool DeviceChangeInProgress;
 		FilePath ApplicationExecutablePath;
+		string UserEnvPATH;
 		bool UseDummySudoPassword;
 
+#if defined(TC_UNIX)
+		bool AllowInsecureMount;
+#endif
+
 	private:
 		CoreBase (const CoreBase &);
 		CoreBase &operator= (const CoreBase &);
-- 
cgit v1.2.3