[Spice-devel] [nsis] Properly quote path to service binaries
Yedidyah Bar David
didi at redhat.com
Mon Oct 16 13:08:20 UTC 2017
Looks good to me. Minor comment below. Adding also others.
On Mon, Oct 16, 2017 at 4:03 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> If these paths are unquoted, and the path contains spaces (C:\Program
> Files (x86)\...), this could be exploited by putting a binary with a
> crafted name (C:\Program.exe), leading to priviledge escalation as this
privilege
> is a service that is being started.
>
> https://www.commonexploits.com/unquoted-service-paths/
>
> Bug reported by Chris Moberly
> ---
> win-guest-tools.nsis | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/win-guest-tools.nsis b/win-guest-tools.nsis
> index c23bf1d..908bf07 100644
> --- a/win-guest-tools.nsis
> +++ b/win-guest-tools.nsis
> @@ -114,7 +114,7 @@ Section "install"
> CreateDirectory "$INSTDIR\hooks\after_migration"
> CreateDirectory "$INSTDIR\hooks\before_migration"
>
> - ExecWait "$INSTDIR\vcredist_x86.exe /q"
> + ExecWait '"$INSTDIR\vcredist_x86.exe /q"'
> !endif
>
> SetOutPath "$INSTDIR\32"
> @@ -326,7 +326,7 @@ Function InstallDriver
> Pop $0
> StrCpy $1 $R1
> Push $1
> - StrCpy $2 "$INSTDIR\drivers\$0"
> + StrCpy $2 '"$INSTDIR\drivers\$0"'
> Push $2
> StrCpy $3 "$2\$R1.inf"
> Push $3
> @@ -416,7 +416,7 @@ Function InstallService
> ${endif}
>
> DetailPrint "Installing $R2 service"
> - SimpleSC::InstallService $R0 $R2 16 2 $R1 "" "" ""
> + SimpleSC::InstallService $R0 $R2 16 2 '"$R1"' "" "" ""
> Pop $0
> ${if} $0 != 0
> DetailPrint "Failed to install $R2 service: $0"
> --
> 2.13.6
>
--
Didi
More information about the Spice-devel
mailing list