qga/win32: Fix local privilege escalation issue (CVE-2023-0664)

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
This commit is contained in:
Mauro Matteo Cascella 2023-03-26 14:59:09 +02:00
parent abc86a585d
commit dae2b79d15
2 changed files with 135 additions and 1 deletions

View File

@ -0,0 +1,129 @@
From f45ee21bebeda4fc1fdd2c359a8a5bfeb1fd4459 Mon Sep 17 00:00:00 2001
From: Konstantin Kostiuk <kkostiuk@redhat.com>
Date: Fri, 3 Mar 2023 21:20:07 +0200
Subject: [PATCH] qga/win32: Remove change action from MSI installer
Remove the 'change' button from "Programs and Features" because it does
not checks if a user is an admin or not. The installer has no components
to choose from and always installs everything. So the 'change' button is
not obviously needed but can create a security issue.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 1 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
---
qga/installer/qemu-ga.wxs | 1 +
1 file changed, 1 insertion(+)
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index 0950e8c6be..b62e709a4c 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -58,6 +58,7 @@
/>
<Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
<Property Id="WHSLogo">1</Property>
+ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
<MajorUpgrade
DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
/>
From 020caf0b49dbfef8bc9ec7f02c93c3d5097bb932 Mon Sep 17 00:00:00 2001
From: Konstantin Kostiuk <kkostiuk@redhat.com>
Date: Fri, 3 Mar 2023 21:20:08 +0200
Subject: [PATCH] qga/win32: Use rundll for VSS installation
The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.
As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.
Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 2 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
---
qga/installer/qemu-ga.wxs | 10 +++++-----
qga/vss-win32/install.cpp | 9 +++++++++
qga/vss-win32/qga-vss.def | 2 ++
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index b62e709a4c..11b66a22e6 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -143,22 +143,22 @@
</Directory>
</Directory>
- <Property Id="cmd" Value="cmd.exe"/>
+ <Property Id="rundll" Value="rundll32.exe"/>
<Property Id="REINSTALLMODE" Value="amus"/>
<?ifdef var.InstallVss?>
<CustomAction Id="RegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
</CustomAction>
<CustomAction Id="UnRegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
index b57508fbe0..68662a6dfc 100644
--- a/qga/vss-win32/install.cpp
+++ b/qga/vss-win32/install.cpp
@@ -357,6 +357,15 @@ out:
return hr;
}
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMRegister();
+}
+
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMUnregister();
+}
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
{
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
index 927782c31b..ee97a81427 100644
--- a/qga/vss-win32/qga-vss.def
+++ b/qga/vss-win32/qga-vss.def
@@ -1,6 +1,8 @@
LIBRARY "QGA-PROVIDER.DLL"
EXPORTS
+ DLLCOMRegister
+ DLLCOMUnregister
COMRegister PRIVATE
COMUnregister PRIVATE
DllCanUnloadNow PRIVATE

View File

@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
%endif
# To prevent rpmdev-bumpspec breakage
%global baserelease 14
%global baserelease 15
Summary: QEMU is a FAST! processor emulator
Name: qemu
@ -377,6 +377,8 @@ Patch: 0021-linux-user-use-max-instead-of-qemu32-qemu64-by-default.patch
#block: Fix memory alignment of requests (rhbz#2174139)
Patch: 0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
Patch: 0023-block-use-the-request-length-for-iov-alignment.patch
# qga/win32: Fix local privilege escalation issue (CVE-2023-0664)
Patch: 0024-qga-win32-local-privilege-escalation.patch
BuildRequires: meson >= %{meson_version}
@ -2742,6 +2744,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Sun Mar 26 2023 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-15
- qga/win32: Fix local privilege escalation issue (CVE-2023-0664) (rhbz#2175700)
* Tue Feb 28 2023 Eduardo Lima (Etrunko) <etrunko@redhat.com> - 2:7.0.0-14
- block: Fix memory alignment of requests (rhbz#2174139)
- Disable the tests on i686