From 078d1410dd3307956638d9c90f40ec15032ef01f Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 11 Jan 2025 23:22:40 +0100 Subject: Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr) Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries. Key changes: - Block mounting on protected system directories (/usr, /bin, /lib, etc.) This restriction cannot be overridden - Block mounting on directories present in user's PATH environment variable This can be overridden with --allow-insecure-mount flag - Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed - Handle symlinks properly when checking paths - Add new error messages for blocked mount points To override PATH-based restrictions only (system directories remain protected): veracrypt --allow-insecure-mount [options] volume mountpoint Security Impact: Low to Medium The attack requires either: - User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points - Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password Default mount points are not affected by this vulnerability. Security: CVE-2025-23021 --- src/Main/Forms/MountOptionsDialog.cpp | 36 +++++++++++++++++++++++++++++++++++ src/Main/Forms/MountOptionsDialog.h | 9 +++++++++ src/Main/Forms/WaitDialog.cpp | 3 +++ 3 files changed, 48 insertions(+) (limited to 'src/Main/Forms') diff --git a/src/Main/Forms/MountOptionsDialog.cpp b/src/Main/Forms/MountOptionsDialog.cpp index d9ffca6b..32b7ae57 100644 --- a/src/Main/Forms/MountOptionsDialog.cpp +++ b/src/Main/Forms/MountOptionsDialog.cpp @@ -34,6 +34,9 @@ namespace VeraCrypt , wxDefaultPosition, wxSize (-1,-1), wxDEFAULT_DIALOG_STYLE | wxRESIZE_BORDER #endif ), Options (options) +#ifdef TC_UNIX + , m_showRedBorder(false) +#endif { if (!title.empty()) this->SetTitle (title); @@ -42,6 +45,16 @@ namespace VeraCrypt else this->SetTitle (LangString["ENTER_TC_VOL_PASSWORD"]); +#ifdef TC_UNIX + if (Gui->InsecureMountAllowed()) + { + this->SetTitle (LangString["INSECURE_MODE"] + L" - " + this->GetTitle()); + m_showRedBorder = true; + Bind(wxEVT_PAINT, &MountOptionsDialog::OnPaint, this); + Bind(wxEVT_SIZE, &MountOptionsDialog::OnSize, this); + } +#endif + if (disableMountOptions) OptionsButton->Show (false); @@ -230,4 +243,27 @@ namespace VeraCrypt Layout(); MainSizer->Fit( this ); } + +#ifdef TC_UNIX + void MountOptionsDialog::OnPaint(wxPaintEvent& event) + { + wxPaintDC dc(this); + if (m_showRedBorder) + { + wxSize size = GetClientSize(); + wxPen pen(*wxRED, 3); // 3 pixels width + dc.SetPen(pen); + dc.SetBrush(*wxTRANSPARENT_BRUSH); + dc.DrawRectangle(0, 0, size.GetWidth(), size.GetHeight()); + } + event.Skip(); + } + + void MountOptionsDialog::OnSize(wxSizeEvent& event) + { + event.Skip(); + if (m_showRedBorder) + Refresh(); + } +#endif } diff --git a/src/Main/Forms/MountOptionsDialog.h b/src/Main/Forms/MountOptionsDialog.h index d0677820..b9bf38ea 100644 --- a/src/Main/Forms/MountOptionsDialog.h +++ b/src/Main/Forms/MountOptionsDialog.h @@ -40,7 +40,16 @@ namespace VeraCrypt void OnReadOnlyCheckBoxClick (wxCommandEvent& event) { UpdateDialog(); } void UpdateDialog (); +#ifdef TC_UNIX + // Used for displaying a red border around the dialog window when insecure mode is enabled + void OnPaint(wxPaintEvent& event); + void OnSize(wxSizeEvent& event); +#endif + MountOptions &Options; +#ifdef TC_UNIX + bool m_showRedBorder; +#endif wxString OptionsButtonLabel; VolumePasswordPanel *PasswordPanel; VolumePasswordPanel *ProtectionPasswordPanel; diff --git a/src/Main/Forms/WaitDialog.cpp b/src/Main/Forms/WaitDialog.cpp index f8180c1d..2489a17b 100644 --- a/src/Main/Forms/WaitDialog.cpp +++ b/src/Main/Forms/WaitDialog.cpp @@ -117,6 +117,9 @@ namespace VeraCrypt VC_CONVERT_EXCEPTION (EMVKeyfileDataNotFound); VC_CONVERT_EXCEPTION (EMVPANNotFound); + VC_CONVERT_EXCEPTION (MountPointBlocked); + VC_CONVERT_EXCEPTION (MountPointNotAllowed); + throw *ex; } } -- cgit v1.2.3