qga/win32: Fix local privilege escalation issue (CVE-2023-0664)
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
This commit is contained in:
parent
9ac0d50669
commit
b07b5baf93
|
@ -0,0 +1,129 @@
|
|||
From 0575c4d5cb7520850359aeff62e11e80e5b65c55 Mon Sep 17 00:00:00 2001
|
||||
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 21:20:08 +0200
|
||||
Subject: [PATCH] qga/win32: Use rundll for VSS installation
|
||||
|
||||
The custom action uses cmd.exe to run VSS Service installation
|
||||
and removal which causes an interactive command shell to spawn.
|
||||
This shell can be used to execute any commands as a SYSTEM user.
|
||||
Even if call qemu-ga.exe directly the interactive command shell
|
||||
will be spawned as qemu-ga.exe is a console application and used
|
||||
by users from the console as well as a service.
|
||||
|
||||
As VSS Service runs from DLL which contains the installer and
|
||||
uninstaller code, it can be run directly by rundll32.exe without
|
||||
any interactive command shell.
|
||||
|
||||
Add specific entry points for rundll which is just a wrapper
|
||||
for COMRegister/COMUnregister functions with proper arguments.
|
||||
|
||||
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
||||
fixes: CVE-2023-0664 (part 2 of 2)
|
||||
|
||||
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
||||
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
||||
---
|
||||
qga/installer/qemu-ga.wxs | 10 +++++-----
|
||||
qga/vss-win32/install.cpp | 9 +++++++++
|
||||
qga/vss-win32/qga-vss.def | 2 ++
|
||||
3 files changed, 16 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
||||
index 813d1c6ca6..de006c8785 100644
|
||||
--- a/qga/installer/qemu-ga.wxs
|
||||
+++ b/qga/installer/qemu-ga.wxs
|
||||
@@ -115,22 +115,22 @@
|
||||
</Directory>
|
||||
</Directory>
|
||||
|
||||
- <Property Id="cmd" Value="cmd.exe"/>
|
||||
+ <Property Id="rundll" Value="rundll32.exe"/>
|
||||
<Property Id="REINSTALLMODE" Value="amus"/>
|
||||
|
||||
<?ifdef var.InstallVss?>
|
||||
<CustomAction Id="RegisterCom"
|
||||
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
|
||||
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
|
||||
Execute="deferred"
|
||||
- Property="cmd"
|
||||
+ Property="rundll"
|
||||
Impersonate="no"
|
||||
Return="check"
|
||||
>
|
||||
</CustomAction>
|
||||
<CustomAction Id="UnRegisterCom"
|
||||
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
|
||||
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
|
||||
Execute="deferred"
|
||||
- Property="cmd"
|
||||
+ Property="rundll"
|
||||
Impersonate="no"
|
||||
Return="check"
|
||||
>
|
||||
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
|
||||
index b57508fbe0..68662a6dfc 100644
|
||||
--- a/qga/vss-win32/install.cpp
|
||||
+++ b/qga/vss-win32/install.cpp
|
||||
@@ -357,6 +357,15 @@ out:
|
||||
return hr;
|
||||
}
|
||||
|
||||
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
|
||||
+{
|
||||
+ COMRegister();
|
||||
+}
|
||||
+
|
||||
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
|
||||
+{
|
||||
+ COMUnregister();
|
||||
+}
|
||||
|
||||
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
|
||||
{
|
||||
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
|
||||
index 927782c31b..ee97a81427 100644
|
||||
--- a/qga/vss-win32/qga-vss.def
|
||||
+++ b/qga/vss-win32/qga-vss.def
|
||||
@@ -1,6 +1,8 @@
|
||||
LIBRARY "QGA-PROVIDER.DLL"
|
||||
|
||||
EXPORTS
|
||||
+ DLLCOMRegister
|
||||
+ DLLCOMUnregister
|
||||
COMRegister PRIVATE
|
||||
COMUnregister PRIVATE
|
||||
DllCanUnloadNow PRIVATE
|
||||
|
||||
From e7e43c4e11390aba32cb42421c68790c10501232 Mon Sep 17 00:00:00 2001
|
||||
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 21:20:07 +0200
|
||||
Subject: [PATCH] qga/win32: Remove change action from MSI installer
|
||||
|
||||
Remove the 'change' button from "Programs and Features" because it does
|
||||
not checks if a user is an admin or not. The installer has no components
|
||||
to choose from and always installs everything. So the 'change' button is
|
||||
not obviously needed but can create a security issue.
|
||||
|
||||
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
||||
fixes: CVE-2023-0664 (part 1 of 2)
|
||||
|
||||
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
||||
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
||||
---
|
||||
qga/installer/qemu-ga.wxs | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
||||
index de006c8785..949ba07fd2 100644
|
||||
--- a/qga/installer/qemu-ga.wxs
|
||||
+++ b/qga/installer/qemu-ga.wxs
|
||||
@@ -31,6 +31,7 @@
|
||||
/>
|
||||
<Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
|
||||
<Property Id="WHSLogo">1</Property>
|
||||
+ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
|
||||
<MajorUpgrade
|
||||
DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
|
||||
/>
|
|
@ -321,7 +321,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
|
|||
%endif
|
||||
|
||||
# To prevent rpmdev-bumpspec breakage
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
|
@ -357,6 +357,8 @@ Patch: 0004-Revert-linux-user-fix-compat-with-glibc-2.36-sys-mou.patch
|
|||
Patch: 0006-PATCH-test-vmstate-fix-bad-GTree-usage-use-after-fre.patch
|
||||
# Fix one of the tests. Sent upstream 2023-02-27.
|
||||
Patch: 0007-tests-Ensure-TAP-version-is-printed-before-other-mes.patch
|
||||
# qga/win32: Fix local privilege escalation issue (CVE-2023-0664)
|
||||
Patch: 0008-qga-win32-local-privilege-escalation.patch
|
||||
|
||||
BuildRequires: meson >= %{meson_version}
|
||||
BuildRequires: zlib-devel
|
||||
|
@ -2786,6 +2788,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Apr 21 2023 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.2.1-2
|
||||
- qga/win32: Fix local privilege escalation issue (CVE-2023-0664) (rhbz#2175700)
|
||||
|
||||
* Wed Apr 19 2023 Eduardo Lima (Etrunko) <etrunko@redhat.com> - 7.2.1-1
|
||||
- Rebase to qemu 7.2.1
|
||||
|
||||
|
|
Loading…
Reference in New Issue