100 lines
3.2 KiB
Diff
100 lines
3.2 KiB
Diff
From bc472314a51895f67112e3ac35439df63292f101 Mon Sep 17 00:00:00 2001
|
|
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
|
Date: Fri, 3 Mar 2023 21:20:08 +0200
|
|
Subject: [PATCH] qga/win32: Use rundll for VSS installation
|
|
|
|
The custom action uses cmd.exe to run VSS Service installation
|
|
and removal which causes an interactive command shell to spawn.
|
|
This shell can be used to execute any commands as a SYSTEM user.
|
|
Even if call qemu-ga.exe directly the interactive command shell
|
|
will be spawned as qemu-ga.exe is a console application and used
|
|
by users from the console as well as a service.
|
|
|
|
As VSS Service runs from DLL which contains the installer and
|
|
uninstaller code, it can be run directly by rundll32.exe without
|
|
any interactive command shell.
|
|
|
|
Add specific entry points for rundll which is just a wrapper
|
|
for COMRegister/COMUnregister functions with proper arguments.
|
|
|
|
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
|
fixes: CVE-2023-0664 (part 2 of 2)
|
|
|
|
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
|
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
|
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
|
---
|
|
qga/installer/qemu-ga.wxs | 10 +++++-----
|
|
qga/vss-win32/install.cpp | 9 +++++++++
|
|
qga/vss-win32/qga-vss.def | 2 ++
|
|
3 files changed, 16 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
|
index b62e709a4c..11b66a22e6 100644
|
|
--- a/qga/installer/qemu-ga.wxs
|
|
+++ b/qga/installer/qemu-ga.wxs
|
|
@@ -143,22 +143,22 @@
|
|
</Directory>
|
|
</Directory>
|
|
|
|
- <Property Id="cmd" Value="cmd.exe"/>
|
|
+ <Property Id="rundll" Value="rundll32.exe"/>
|
|
<Property Id="REINSTALLMODE" Value="amus"/>
|
|
|
|
<?ifdef var.InstallVss?>
|
|
<CustomAction Id="RegisterCom"
|
|
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
|
|
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
|
|
Execute="deferred"
|
|
- Property="cmd"
|
|
+ Property="rundll"
|
|
Impersonate="no"
|
|
Return="check"
|
|
>
|
|
</CustomAction>
|
|
<CustomAction Id="UnRegisterCom"
|
|
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
|
|
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
|
|
Execute="deferred"
|
|
- Property="cmd"
|
|
+ Property="rundll"
|
|
Impersonate="no"
|
|
Return="check"
|
|
>
|
|
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
|
|
index e90a03c1cf..8b7400e4e5 100644
|
|
--- a/qga/vss-win32/install.cpp
|
|
+++ b/qga/vss-win32/install.cpp
|
|
@@ -352,6 +352,15 @@ out:
|
|
return hr;
|
|
}
|
|
|
|
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
|
|
+{
|
|
+ COMRegister();
|
|
+}
|
|
+
|
|
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
|
|
+{
|
|
+ COMUnregister();
|
|
+}
|
|
|
|
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
|
|
{
|
|
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
|
|
index 927782c31b..ee97a81427 100644
|
|
--- a/qga/vss-win32/qga-vss.def
|
|
+++ b/qga/vss-win32/qga-vss.def
|
|
@@ -1,6 +1,8 @@
|
|
LIBRARY "QGA-PROVIDER.DLL"
|
|
|
|
EXPORTS
|
|
+ DLLCOMRegister
|
|
+ DLLCOMUnregister
|
|
COMRegister PRIVATE
|
|
COMUnregister PRIVATE
|
|
DllCanUnloadNow PRIVATE
|
|
--
|
|
2.41.0.windows.1
|
|
|