From 5872be28a243acb3b5aafdf13248e07d30471893 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 2 Jan 2016 17:54:55 +0100 Subject: Windows: Fix Dll hijacking vulnerability affecting installer that allows arbitrary code execution with elevation of privilege (CVE-2016-1281) --- src/Setup/Setup.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) (limited to 'src/Setup/Setup.c') diff --git a/src/Setup/Setup.c b/src/Setup/Setup.c index 828de703..e81c2a31 100644 --- a/src/Setup/Setup.c +++ b/src/Setup/Setup.c @@ -329,13 +329,13 @@ void SearchAndDeleteRegistrySubString (HKEY hKey, const wchar_t *subKey, const w // if the string to search for is empty, delete the sub key, otherwise, look for matching value and delete them if (subStringLength == 0) { - if (ERROR_ACCESS_DENIED == SHDeleteKeyW (hKey, ItSubKey->c_str())) + if (ERROR_ACCESS_DENIED == DeleteRegistryKey (hKey, ItSubKey->c_str())) { // grant permission to delete AllowKeyAccess (hKey, ItSubKey->c_str()); // try again - SHDeleteKeyW (hKey, ItSubKey->c_str()); + DeleteRegistryKey (hKey, ItSubKey->c_str()); } } else @@ -427,6 +427,22 @@ BOOL SetPrivilege(LPTSTR szPrivilegeName, BOOL bEnable) return bStatus; } +/* + * Creates a VT_LPWSTR propvariant. + * we use our own implementation to use SHStrDupW function pointer + * that we retreive ourselves to avoid dll hijacking attacks + */ +inline HRESULT VCInitPropVariantFromString(__in PCWSTR psz, __out PROPVARIANT *ppropvar) +{ + ppropvar->vt = VT_LPWSTR; + HRESULT hr = VCStrDupW(psz, &ppropvar->pwszVal); + if (FAILED(hr)) + { + PropVariantInit(ppropvar); + } + return hr; +} + HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments, wchar_t *lpszPathLink, const wchar_t* iconFile, int iconIndex) { @@ -457,7 +473,7 @@ HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments, if (SUCCEEDED (psl->QueryInterface (IID_PPV_ARGS (&propStore)))) { PROPVARIANT propVariant; - if (SUCCEEDED (InitPropVariantFromString (TC_APPLICATION_ID, &propVariant))) + if (SUCCEEDED (VCInitPropVariantFromString (TC_APPLICATION_ID, &propVariant))) { if (SUCCEEDED (propStore->SetValue (PKEY_AppUserModel_ID, propVariant))) propStore->Commit(); @@ -1287,7 +1303,7 @@ BOOL DoRegUninstall (HWND hwndDlg, BOOL bRemoveDeprecated) GetStartupRegKeyName (regk, sizeof(regk)); DeleteRegistryValue (regk, L"VeraCrypt"); - SHDeleteKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc"); + DeleteRegistryKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc"); // enable the SE_TAKE_OWNERSHIP_NAME privilege for this operation SetPrivilege (SE_TAKE_OWNERSHIP_NAME, TRUE); @@ -2447,8 +2463,6 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz lpszTitle = L"VeraCrypt Setup"; - InitCommonControls (); - /* Call InitApp to initialize the common code */ InitApp (hInstance, NULL); -- cgit v1.2.3