[Spice-devel] [nsis] Properly quote path to service binaries
Christophe Fergeau
cfergeau at redhat.com
Mon Oct 16 13:03:09 UTC 2017
If these paths are unquoted, and the path contains spaces (C:\Program
Files (x86)\...), this could be exploited by putting a binary with a
crafted name (C:\Program.exe), leading to priviledge escalation as this
is a service that is being started.
https://www.commonexploits.com/unquoted-service-paths/
Bug reported by Chris Moberly
---
win-guest-tools.nsis | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/win-guest-tools.nsis b/win-guest-tools.nsis
index c23bf1d..908bf07 100644
--- a/win-guest-tools.nsis
+++ b/win-guest-tools.nsis
@@ -114,7 +114,7 @@ Section "install"
CreateDirectory "$INSTDIR\hooks\after_migration"
CreateDirectory "$INSTDIR\hooks\before_migration"
- ExecWait "$INSTDIR\vcredist_x86.exe /q"
+ ExecWait '"$INSTDIR\vcredist_x86.exe /q"'
!endif
SetOutPath "$INSTDIR\32"
@@ -326,7 +326,7 @@ Function InstallDriver
Pop $0
StrCpy $1 $R1
Push $1
- StrCpy $2 "$INSTDIR\drivers\$0"
+ StrCpy $2 '"$INSTDIR\drivers\$0"'
Push $2
StrCpy $3 "$2\$R1.inf"
Push $3
@@ -416,7 +416,7 @@ Function InstallService
${endif}
DetailPrint "Installing $R2 service"
- SimpleSC::InstallService $R0 $R2 16 2 $R1 "" "" ""
+ SimpleSC::InstallService $R0 $R2 16 2 '"$R1"' "" "" ""
Pop $0
${if} $0 != 0
DetailPrint "Failed to install $R2 service: $0"
--
2.13.6
More information about the Spice-devel
mailing list