[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-7.2.5 20/36] qga/win32: Use rundll for VSS installation
|
From: |
Michael Tokarev |
|
Subject: |
[Stable-7.2.5 20/36] qga/win32: Use rundll for VSS installation |
|
Date: |
Fri, 4 Aug 2023 21:53:33 +0300 |
From: Konstantin Kostiuk <kkostiuk@redhat.com>
The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.
As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.
Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 2 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
(cherry picked from commit 07ce178a2b0768eb9e712bb5ad0cf6dc7fcf0158)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index 3442383627..949ba07fd2 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -116,22 +116,22 @@
</Directory>
</Directory>
- <Property Id="cmd" Value="cmd.exe"/>
+ <Property Id="rundll" Value="rundll32.exe"/>
<Property Id="REINSTALLMODE" Value="amus"/>
<?ifdef var.InstallVss?>
<CustomAction Id="RegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
</CustomAction>
<CustomAction Id="UnRegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
index b8087e5baa..ff93b08a9e 100644
--- a/qga/vss-win32/install.cpp
+++ b/qga/vss-win32/install.cpp
@@ -357,6 +357,15 @@ out:
return hr;
}
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMRegister();
+}
+
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMUnregister();
+}
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
{
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
index 927782c31b..ee97a81427 100644
--- a/qga/vss-win32/qga-vss.def
+++ b/qga/vss-win32/qga-vss.def
@@ -1,6 +1,8 @@
LIBRARY "QGA-PROVIDER.DLL"
EXPORTS
+ DLLCOMRegister
+ DLLCOMUnregister
COMRegister PRIVATE
COMUnregister PRIVATE
DllCanUnloadNow PRIVATE
--
2.39.2
- [PATCH v2 0/7] target/mips: Convert Loongson LEXT opcodes to decodetree, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 1/7] target/mips: Simplify Loongson MULTU.G opcode, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 2/7] target/mips: Re-introduce OPC_ADDUH_QB_DSP and OPC_MUL_PH_DSP, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 3/7] target/mips: Convert Loongson DDIV.G opcodes to decodetree, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 4/7] target/mips: Convert Loongson DIV.G opcodes to decodetree, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 5/7] target/mips: Convert Loongson [D]DIVU.G opcodes to decodetree, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 6/7] target/mips: Convert Loongson [D]MOD[U].G opcodes to decodetree, Philippe Mathieu-Daudé, 2023/08/31
- [PATCH v2 7/7] target/mips: Convert Loongson [D]MULT[U].G opcodes to decodetree, Philippe Mathieu-Daudé, 2023/08/31