[Spice-devel] [nsis] Properly quote path to service binaries

Christophe Fergeau cfergeau at redhat.com
Mon Oct 16 13:03:09 UTC 2017


If these paths are unquoted, and the path contains spaces (C:\Program
Files (x86)\...), this could be exploited by putting a binary with a
crafted name (C:\Program.exe), leading to priviledge escalation as this
is a service that is being started.

https://www.commonexploits.com/unquoted-service-paths/

Bug reported by Chris Moberly
---
 win-guest-tools.nsis | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/win-guest-tools.nsis b/win-guest-tools.nsis
index c23bf1d..908bf07 100644
--- a/win-guest-tools.nsis
+++ b/win-guest-tools.nsis
@@ -114,7 +114,7 @@ Section "install"
   CreateDirectory "$INSTDIR\hooks\after_migration"
   CreateDirectory "$INSTDIR\hooks\before_migration"
 
-  ExecWait "$INSTDIR\vcredist_x86.exe /q"
+  ExecWait '"$INSTDIR\vcredist_x86.exe /q"'
 !endif
 
   SetOutPath "$INSTDIR\32"
@@ -326,7 +326,7 @@ Function InstallDriver
   Pop $0
   StrCpy $1 $R1
   Push $1
-  StrCpy $2 "$INSTDIR\drivers\$0"
+  StrCpy $2 '"$INSTDIR\drivers\$0"'
   Push $2
   StrCpy $3 "$2\$R1.inf"
   Push $3
@@ -416,7 +416,7 @@ Function InstallService
   ${endif}
 
   DetailPrint "Installing $R2 service"
-  SimpleSC::InstallService $R0 $R2 16 2 $R1 "" "" ""
+  SimpleSC::InstallService $R0 $R2 16 2 '"$R1"' "" "" ""
   Pop $0
   ${if} $0 != 0
     DetailPrint "Failed to install $R2 service: $0"
-- 
2.13.6



More information about the Spice-devel mailing list