From 9b24da3398581da1fa66c6b8f682bbcfa7ded4fd Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Mon, 21 Sep 2015 17:12:50 +0200 Subject: Windows Driver: Fix inherited TrueCrypt local elevation of privilege vulnerability caused by abusing the drive letter symbolic link creation facilities to remap the main system drive. Thanks to James Forshaw (Google) for reporting this issue and for helping implementing the fix. --- src/Common/Apidrvr.h | 2 +- src/Driver/Ntdriver.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h index d78e96db..4fc15767 100644 --- a/src/Common/Apidrvr.h +++ b/src/Common/Apidrvr.h @@ -322,7 +322,7 @@ typedef struct #define NT_MOUNT_PREFIX DRIVER_STR("\\Device\\VeraCryptVolume") #define NT_ROOT_PREFIX DRIVER_STR("\\Device\\VeraCrypt") -#define DOS_MOUNT_PREFIX DRIVER_STR("\\DosDevices\\") +#define DOS_MOUNT_PREFIX DRIVER_STR("\\GLOBAL??\\") // Explicitely use Global MS-DOS device names to avoid security issues #define DOS_ROOT_PREFIX DRIVER_STR("\\DosDevices\\VeraCrypt") #define WIN32_ROOT_PREFIX DRIVER_STR("\\\\.\\VeraCrypt") diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index 8c33a89c..3e78fabe 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -3063,18 +3063,19 @@ BOOL IsDriveLetterAvailable (int nDosDriveNo) UNICODE_STRING objectName; WCHAR link[128]; HANDLE handle; + NTSTATUS ntStatus; TCGetDosNameFromNumber (link, sizeof(link),nDosDriveNo); RtlInitUnicodeString (&objectName, link); InitializeObjectAttributes (&objectAttributes, &objectName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL); - if (NT_SUCCESS (ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes))) + if (NT_SUCCESS (ntStatus = ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes))) { ZwClose (handle); return FALSE; } - return TRUE; + return (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND)? TRUE : FALSE; } -- cgit v1.2.3