首页 发现 帮助
注册 登录
FangSoftSoft
/
qemu
镜像自地址 https://github.com/utmapp/qemu.git
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

qga/win32: Use rundll for VSS installation

The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.

As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.

Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.

resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 2 of 2)

Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
Konstantin Kostiuk 2 年之前
父节点
88288c2a51
当前提交
07ce178a2b
共有 3 个文件被更改,包括 16 次插入5 次删除
合并视图 显示文件统计
  1. 5 5
      qga/installer/qemu-ga.wxs
  2. 9 0
      qga/vss-win32/install.cpp
  3. 2 0
      qga/vss-win32/qga-vss.def

+ 5 - 5
qga/installer/qemu-ga.wxs
查看文件 

@@ -127,22 +127,22 @@
 
       </Directory>
 
       </Directory>
 
     </Directory>
 
     </Directory>
 
 
 
-    <Property Id="cmd" Value="cmd.exe"/>
 
+    <Property Id="rundll" Value="rundll32.exe"/>
 
     <Property Id="REINSTALLMODE" Value="amus"/>
 
     <Property Id="REINSTALLMODE" Value="amus"/>
 
 
 
     <?ifdef var.InstallVss?>
 
     <?ifdef var.InstallVss?>
 
     <CustomAction Id="RegisterCom"
 
     <CustomAction Id="RegisterCom"
 
-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
 
+              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
 
               Execute="deferred"
 
               Execute="deferred"
 
-              Property="cmd"
 
+              Property="rundll"
 
               Impersonate="no"
 
               Impersonate="no"
 
               Return="check"
 
               Return="check"
 
               >
 
               >
 
     </CustomAction>
 
     </CustomAction>
 
     <CustomAction Id="UnRegisterCom"
 
     <CustomAction Id="UnRegisterCom"
 
-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
 
+              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
 
               Execute="deferred"
 
               Execute="deferred"
 
-              Property="cmd"
 
+              Property="rundll"
 
               Impersonate="no"
 
               Impersonate="no"
 
               Return="check"
 
               Return="check"
 
               >
 
               >

+ 9 - 0
qga/vss-win32/install.cpp
查看文件 

@@ -357,6 +357,15 @@ out:
 
     return hr;
 
     return hr;
 
 }
 
 }
 
 
 
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
 
+{
 
+    COMRegister();
 
+}
 
+
 
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
 
+{
 
+    COMUnregister();
 
+}
 
 
 
 static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
 
 static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
 
 {
 
 {

+ 2 - 0
qga/vss-win32/qga-vss.def
查看文件 

@@ -1,6 +1,8 @@
 
 LIBRARY      "QGA-PROVIDER.DLL"
 
 LIBRARY      "QGA-PROVIDER.DLL"
 
 
 
 EXPORTS
 
 EXPORTS
 
+	DLLCOMRegister
 
+	DLLCOMUnregister
 
 	COMRegister		PRIVATE
 
 	COMRegister		PRIVATE
 
 	COMUnregister		PRIVATE
 
 	COMUnregister		PRIVATE
 
 	DllCanUnloadNow		PRIVATE
 
 	DllCanUnloadNow		PRIVATE