qga/win32: Use rundll for VSS installation
The custom action uses cmd.exe to run VSS Service installation and removal which causes an interactive command shell to spawn. This shell can be used to execute any commands as a SYSTEM user. Even if call qemu-ga.exe directly the interactive command shell will be spawned as qemu-ga.exe is a console application and used by users from the console as well as a service. As VSS Service runs from DLL which contains the installer and uninstaller code, it can be run directly by rundll32.exe without any interactive command shell. Add specific entry points for rundll which is just a wrapper for COMRegister/COMUnregister functions with proper arguments. resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 fixes: CVE-2023-0664 (part 2 of 2) Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com> Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com> Reported-by: Brian Wiltse <brian.wiltse@live.com>
This commit is contained in:
parent
88288c2a51
commit
07ce178a2b
@ -127,22 +127,22 @@
|
||||
</Directory>
|
||||
</Directory>
|
||||
|
||||
<Property Id="cmd" Value="cmd.exe"/>
|
||||
<Property Id="rundll" Value="rundll32.exe"/>
|
||||
<Property Id="REINSTALLMODE" Value="amus"/>
|
||||
|
||||
<?ifdef var.InstallVss?>
|
||||
<CustomAction Id="RegisterCom"
|
||||
ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
|
||||
ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
|
||||
Execute="deferred"
|
||||
Property="cmd"
|
||||
Property="rundll"
|
||||
Impersonate="no"
|
||||
Return="check"
|
||||
>
|
||||
</CustomAction>
|
||||
<CustomAction Id="UnRegisterCom"
|
||||
ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
|
||||
ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
|
||||
Execute="deferred"
|
||||
Property="cmd"
|
||||
Property="rundll"
|
||||
Impersonate="no"
|
||||
Return="check"
|
||||
>
|
||||
|
@ -357,6 +357,15 @@ out:
|
||||
return hr;
|
||||
}
|
||||
|
||||
STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
|
||||
{
|
||||
COMRegister();
|
||||
}
|
||||
|
||||
STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
|
||||
{
|
||||
COMUnregister();
|
||||
}
|
||||
|
||||
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
|
||||
{
|
||||
|
@ -1,6 +1,8 @@
|
||||
LIBRARY "QGA-PROVIDER.DLL"
|
||||
|
||||
EXPORTS
|
||||
DLLCOMRegister
|
||||
DLLCOMUnregister
|
||||
COMRegister PRIVATE
|
||||
COMUnregister PRIVATE
|
||||
DllCanUnloadNow PRIVATE
|
||||
|
Loading…
Reference in New Issue
Block a user