From 078d1410dd3307956638d9c90f40ec15032ef01f Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Sat, 11 Jan 2025 23:22:40 +0100
Subject: Linux/FreeBSD: Prevent mounting volumes on system directories and
 PATH (CVE-2025-23021, reported by SivertPL @__tfr)

Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.

Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
  This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
  This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points

To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint

Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.

Security: CVE-2025-23021
---
 src/Main/Forms/MountOptionsDialog.cpp | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'src/Main/Forms/MountOptionsDialog.cpp')

diff --git a/src/Main/Forms/MountOptionsDialog.cpp b/src/Main/Forms/MountOptionsDialog.cpp
index d9ffca6b..32b7ae57 100644
--- a/src/Main/Forms/MountOptionsDialog.cpp
+++ b/src/Main/Forms/MountOptionsDialog.cpp
@@ -34,6 +34,9 @@ namespace VeraCrypt
 		, wxDefaultPosition, wxSize (-1,-1), wxDEFAULT_DIALOG_STYLE | wxRESIZE_BORDER
 #endif
 		), Options (options)
+#ifdef TC_UNIX
+		, m_showRedBorder(false)
+#endif
 	{
 		if (!title.empty())
 			this->SetTitle (title);
@@ -42,6 +45,16 @@ namespace VeraCrypt
 		else
 			this->SetTitle (LangString["ENTER_TC_VOL_PASSWORD"]);
 
+#ifdef TC_UNIX
+		if (Gui->InsecureMountAllowed())
+		{
+			this->SetTitle (LangString["INSECURE_MODE"] + L" - " + this->GetTitle());
+			m_showRedBorder = true;
+			Bind(wxEVT_PAINT, &MountOptionsDialog::OnPaint, this);  
+			Bind(wxEVT_SIZE, &MountOptionsDialog::OnSize, this);
+		}
+#endif
+
 		if (disableMountOptions)
 			OptionsButton->Show (false);
 			
@@ -230,4 +243,27 @@ namespace VeraCrypt
 		Layout();
 		MainSizer->Fit( this );
 	}
+
+#ifdef TC_UNIX
+	void MountOptionsDialog::OnPaint(wxPaintEvent& event)  
+	{  
+		wxPaintDC dc(this);  
+		if (m_showRedBorder)  
+		{  
+			wxSize size = GetClientSize();  
+			wxPen pen(*wxRED, 3); // 3 pixels width  
+			dc.SetPen(pen);  
+			dc.SetBrush(*wxTRANSPARENT_BRUSH);  
+			dc.DrawRectangle(0, 0, size.GetWidth(), size.GetHeight());  
+		}  
+		event.Skip();  
+	}  
+	
+	void MountOptionsDialog::OnSize(wxSizeEvent& event)  
+	{  
+		event.Skip();  
+		if (m_showRedBorder)  
+			Refresh();  
+	}
+#endif
 }
-- 
cgit v1.2.3