From patchwork Tue Feb 21 11:21:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konstantin Kostiuk X-Patchwork-Id: 13147635 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5CDE4C64ED6 for ; Tue, 21 Feb 2023 11:23:17 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUQiq-00054i-5Q; Tue, 21 Feb 2023 06:22:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUQio-00053e-AX for qemu-devel@nongnu.org; Tue, 21 Feb 2023 06:22:10 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUQim-0001sH-L1 for qemu-devel@nongnu.org; Tue, 21 Feb 2023 06:22:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676978527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Ejjb/k1vwHixNxiEfdFY4CM4AMP1aWJs5FaJKDqRsUc=; b=MqHUV4uif31knf/pEjzRY5yLsYJLJopRkv9nC+nOmliPPDhbplBI7y04z2jh2AimO64o5+ pPS7Z4xN4o5/Yp7+uO2SFdz61CbX3fgbWRwrl+0tMzIGu325QjCsrHsRi4ZpX2lNGiHyaL 8CUnWIY9KhdZewLlrZ4tPs+T0JWe/u4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-349-LS-PEPz8OkeoRsfC54hmLw-1; Tue, 21 Feb 2023 06:22:05 -0500 X-MC-Unique: LS-PEPz8OkeoRsfC54hmLw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CC851823D63; Tue, 21 Feb 2023 11:22:04 +0000 (UTC) Received: from kostyanf14nb.redhat.com (unknown [10.45.224.248]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3B33C140EBF6; Tue, 21 Feb 2023 11:21:59 +0000 (UTC) From: Konstantin Kostiuk To: qemu-devel@nongnu.org Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Bin Meng , Stefan Weil , Yonggang Luo , Markus Armbruster , =?utf-8?q?Alex_Benn=C3=A9e?= , Peter Maydell , Gerd Hoffmann , "Michael S. Tsirkin" , Thomas Huth , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , Michael Roth , Mauro Matteo Cascella , Yan Vugenfirer , Evgeny Iakovlev , Andrey Drobyshev , Xuzhou Cheng , brian.wiltse@live.com Subject: [PATCH v2 0/2] QGA installer fixes Date: Tue, 21 Feb 2023 13:21:55 +0200 Message-Id: <20230221112157.418648-1-kkostiuk@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 Received-SPF: pass client-ip=170.10.129.124; envelope-from=kkostiuk@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 fixes: CVE-2023-0664 CVE Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs), can be leveraged to begin a repair of the installation without validation that the repair is being performed by an administrative user. The MSI repair custom action "RegisterCom" and "UnregisterCom" is not set for impersonation which allows for the actions to occur as the SYSTEM account (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe to run qemu-ga.exe in line 134 and 142 which causes an interactive command shell to spawn even though the MSI is set to be non-interactive on line 53. v1: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05661.html v1 -> v2: Add explanation into commit messages Konstantin Kostiuk (2): qga/win32: Remove change action from MSI installer qga/win32: Use rundll for VSS installation qga/installer/qemu-ga.wxs | 11 ++++++----- qga/vss-win32/install.cpp | 9 +++++++++ qga/vss-win32/qga-vss.def | 2 ++ 3 files changed, 17 insertions(+), 5 deletions(-) Reported-by: Brian Wiltse --- 2.25.1