Static Code Analysis : fix non-absolute DLL/process loads that can be hijacked (Microsoft Security Advisory 2269637).

2024-11-10 13:13:34 +01:00 · 2014-07-09 02:20:39 +02:00 · 2014-07-09 02:20:39 +02:00 · f67748ae8e
commit f67748ae8e
parent d6817f941a
5 changed files with 66 additions and 11 deletions
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@ -1844,7 +1844,7 @@ void ExceptionHandlerThread (void *threadArg)

 	if (IDYES == MessageBoxW (0, msg, GetString ("EXCEPTION_REPORT_TITLE"), MB_ICONERROR | MB_YESNO | MB_DEFBUTTON1))
 		ShellExecute (NULL, "open", urlStr.c_str(), NULL, NULL, SW_SHOWNORMAL);
-	else*/
+	else */
 		UnhandledExceptionFilter (ep);
 }

@ -2276,6 +2276,7 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine)
 {
 	WNDCLASS wc;
 	char langId[6];
+	char dllPath[MAX_PATH];

 	/* Save the instance handle for later */
 	hInst = hInstance;
@ -2442,8 +2443,12 @@ void InitApp (HINSTANCE hInstance, char *lpszCommandLine)
 		AbortProcess ("INIT_REGISTER");
 	}
 	
+	if (GetSystemDirectory(dllPath, MAX_PATH))
+		strcat(dllPath, "\\Riched20.dll");
+	else
+		strcpy(dllPath, "c:\\Windows\\System32\\Riched20.dll");
 	// Required for RichEdit text fields to work
-	if (LoadLibrary("Riched20.dll") == NULL)
+	if (LoadLibrary(dllPath) == NULL)
 	{
 		// This error is fatal e.g. because legal notices could not be displayed
 		handleWin32Error (NULL);
@ -6951,6 +6956,16 @@ BOOL PrintHardCopyTextUTF16 (wchar_t *text, char *title, int textByteLen)
 	strcat (cl, path);
 	strcat (cl, "\"");

+	// Get the absolute path for notepad
+	if (GetWindowsDirectory(filename, MAX_PATH))
+	{
+		if (filename[strlen (filename) - 1] != '\\')
+			strcat (filename, "\\");
+		strcat(filename, PRINT_TOOL);
+	}
+	else
+		strcpy(filename, "C:\\Windows\\" PRINT_TOOL);
+
 	WaitCursor ();
 	ShellExecute (NULL, "open", PRINT_TOOL, cl, NULL, SW_HIDE);
 	Sleep (6000);
@ -9496,7 +9511,7 @@ BOOL IsFileOnReadOnlyFilesystem (const char *path)

 void CheckFilesystem (int driveNo, BOOL fixErrors)
 {
-	wchar_t msg[1024], param[1024];
+	wchar_t msg[1024], param[1024], cmdPath[MAX_PATH];
 	char driveRoot[] = { 'A' + (char) driveNo, ':', 0 };

 	if (fixErrors && AskWarnYesNo ("FILESYS_REPAIR_CONFIRM_BACKUP") == IDNO)
@ -9505,7 +9520,14 @@ void CheckFilesystem (int driveNo, BOOL fixErrors)
 	wsprintfW (msg, GetString (fixErrors ? "REPAIRING_FS" : "CHECKING_FS"), driveRoot);
 	wsprintfW (param, fixErrors ? L"/C echo %s & chkdsk %hs /F /X & pause" : L"/C echo %s & chkdsk %hs & pause", msg, driveRoot);

-	ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", L"cmd.exe", param, NULL, SW_SHOW);
+	if (GetSystemDirectoryW(cmdPath, MAX_PATH))
+	{
+		lstrcatW(cmdPath, L"\\cmd.exe");
+	}
+	else
+		lstrcpyW(cmdPath, L"C:\\Windows\\System32\\cmd.exe");
+
+	ShellExecuteW (NULL, (!IsAdmin() && IsUacSupported()) ? L"runas" : L"open", cmdPath, param, NULL, SW_SHOW);
 }


@ -9701,7 +9723,15 @@ BOOL IsWindowsIsoBurnerAvailable ()

 BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath)
 {
-	int r = (int) ShellExecute (hwnd, "open", ISO_BURNER_TOOL, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL);
+	char path[MAX_PATH*2] = { 0 };
+	int r;
+
+	if (SUCCEEDED(SHGetFolderPath (NULL, CSIDL_SYSTEM, NULL, 0, path)))
+		strcat (path, "\\" ISO_BURNER_TOOL);
+	else
+		strcpy (path, "C:\\Windows\\System32\\" ISO_BURNER_TOOL);
+
+	r = (int) ShellExecute (hwnd, "open", path, (string ("\"") + isoPath + "\"").c_str(), NULL, SW_SHOWNORMAL);

 	if (r <= 32)
 	{
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@ -218,7 +218,7 @@ typedef struct
 #define YES_NO MB_YESNO

 #define	ISO_BURNER_TOOL "isoburn.exe"
-#define PRINT_TOOL "notepad"
+#define PRINT_TOOL "notepad.exe"

 void cleanup ( void );
 void LowerCaseCopy ( char *lpszDest , const char *lpszSource );
--- a/src/Common/Format.c
+++ b/src/Common/Format.c
@ -795,11 +795,21 @@ BOOLEAN __stdcall FormatExCallback (int command, DWORD subCommand, PVOID paramet

 BOOL FormatNtfs (int driveNo, int clusterSize)
 {
+	char dllPath[MAX_PATH] = {0};
 	WCHAR dir[8] = { (WCHAR) driveNo + 'A', 0 };
 	PFORMATEX FormatEx;
-	HMODULE hModule = LoadLibrary ("fmifs.dll");
+	HMODULE hModule;
 	int i;
 	
+	if (GetSystemDirectory (dllPath, MAX_PATH))
+	{
+		strcat(dllPath, "\\fmifs.dll");
+	}
+	else
+		strcpy(dllPath, "C:\\Windows\\System32\\fmifs.dll");
+	
+	hModule = LoadLibrary (dllPath);
+
 	if (hModule == NULL)
 		return FALSE;

--- a/src/Common/Random.c
+++ b/src/Common/Random.c
@ -573,7 +573,15 @@ BOOL SlowPoll (void)
 	{
 		/* Obtain a handle to the module containing the Lan Manager
 		   functions */
-		hNetAPI32 = LoadLibrary ("NETAPI32.DLL");
+		char dllPath[MAX_PATH];
+		if (GetSystemDirectory (dllPath, MAX_PATH))
+		{
+			strcat(dllPath, "\\NETAPI32.DLL");
+		}
+		else
+			strcpy(dllPath, "C:\\Windows\\System32\\NETAPI32.DLL");
+
+		hNetAPI32 = LoadLibrary (dllPath);
 		if (hNetAPI32 != NULL)
 		{
 			/* Now get pointers to the functions */
--- a/src/Setup/Setup.c
+++ b/src/Setup/Setup.c
@ -2012,7 +2012,14 @@ int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, char *lpszComm
 		}

 		// System Restore
-		SystemRestoreDll = LoadLibrary ("srclient.dll");
+		char dllPath[MAX_PATH];
+		if (GetSystemDirectory (dllPath, MAX_PATH))
+		{
+			strcat(dllPath, "\\srclient.dll");
+		}
+		else
+			strcpy(dllPath, "C:\\Windows\\System32\\srclient.dll");
+		SystemRestoreDll = LoadLibrary (dllPath);

 		if (!bUninstall)
 		{