[Spice-devel] [nsis 1/2] Properly quote path to service binaries

Christophe Fergeau cfergeau at redhat.com
Tue Dec 19 14:51:52 UTC 2017


On Sat, Dec 16, 2017 at 04:14:49AM -0500, Frediano Ziglio wrote:
> > 
> > If these paths are unquoted, and the path contains spaces (C:\Program
> > Files (x86)\...), this could be exploited by putting a binary with a
> > crafted name (C:\Program.exe), leading to privilege escalation as this
> > is a service that is being started.
> > 
> > https://www.commonexploits.com/unquoted-service-paths/
> > 
> > Bug reported by Chris Moberly
> 
> Yes, this is documented in CreateProcess and CreateService, specifically
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
> and
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx
> 
> > ---
> >  win-guest-tools.nsis | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/win-guest-tools.nsis b/win-guest-tools.nsis
> > index c54608a..dfcee1d 100644
> > --- a/win-guest-tools.nsis
> > +++ b/win-guest-tools.nsis
> > @@ -114,7 +114,7 @@ Section "install"
> >    CreateDirectory "$INSTDIR\hooks\after_migration"
> >    CreateDirectory "$INSTDIR\hooks\before_migration"
> >  
> > -  ExecWait "$INSTDIR\vcredist_x86.exe /q"
> > +  ExecWait '"$INSTDIR\vcredist_x86.exe /q"'
> >  !endif
> >  
> >    SetOutPath "$INSTDIR\32"
> 
> No, you should not quote the argument together, should be
> 
>    ExecWait '"$INSTDIR\vcredist_x86.exe" /q'

Indeed, thanks.

> 
> > @@ -326,7 +326,7 @@ Function InstallDriver
> >    Pop $0
> >    StrCpy $1 $R1
> >    Push $1
> > -  StrCpy $2 "$INSTDIR\drivers\$0"
> > +  StrCpy $2 '"$INSTDIR\drivers\$0"'
> >    Push $2
> >    StrCpy $3 "$2\$R1.inf"
> >    Push $3
> 
> These are used to call SetupCopyOEMInf (https://msdn.microsoft.com/en-us/library/windows/desktop/aa376990(v=vs.85).aspx)
> which does not need quoting or are used with right quoting so quoting twice
> is not correct.

This did not seem to make a difference in my testing, so I kept it, but
I agree for driver installation it's probably less of an issue.

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20171219/fd5da172/attachment.sig>


More information about the Spice-devel mailing list