From patchwork Fri Mar 3 19:20:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konstantin Kostiuk X-Patchwork-Id: 13159429 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 67608C64EC4 for ; Fri, 3 Mar 2023 19:21:11 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pYAx5-00029D-KM; Fri, 03 Mar 2023 14:20:23 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pYAx3-000292-Rm for qemu-devel@nongnu.org; Fri, 03 Mar 2023 14:20:21 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pYAx2-0003WG-0h for qemu-devel@nongnu.org; Fri, 03 Mar 2023 14:20:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677871218; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=liQ8kuMIrYxsYTu7Odnl0ItPBxkwbKf74w/Bc0RJF9E=; b=R8Lv0xxKssQBqVZILPAq/f6u07vzSKcD0bMl9ELfTsNUTQfkDrm8soaPYywHzW6JB9dWGh p3pcADRrJ/CAnVPBwhWLsBUU/ffquq/VoDDu04X8AfU6zMmYPs5PjJYS8s+P01WZ8toG5c 4cq/xduSnqQXRDKAVAPhzMFrk1vuKDY= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-607-b710R53hNLuIpVErZoUIRw-1; Fri, 03 Mar 2023 14:20:15 -0500 X-MC-Unique: b710R53hNLuIpVErZoUIRw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6DEF6380607D; Fri, 3 Mar 2023 19:20:14 +0000 (UTC) Received: from kostyanf14nb.redhat.com (unknown [10.45.224.45]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EAB51140EBF4; Fri, 3 Mar 2023 19:20:09 +0000 (UTC) From: Konstantin Kostiuk To: qemu-devel@nongnu.org Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Bin Meng , Stefan Weil , Yonggang Luo , Markus Armbruster , =?utf-8?q?Alex_Benn=C3=A9e?= , Peter Maydell , Gerd Hoffmann , "Michael S. Tsirkin" , Thomas Huth , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , Michael Roth , Mauro Matteo Cascella , Yan Vugenfirer , Evgeny Iakovlev , Andrey Drobyshev , Xuzhou Cheng , brian.wiltse@live.com Subject: [PATCH v3 0/2] QGA installer fixes Date: Fri, 3 Mar 2023 21:20:06 +0200 Message-Id: <20230303192008.109549-1-kkostiuk@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 Received-SPF: pass client-ip=170.10.129.124; envelope-from=kkostiuk@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 fixes: CVE-2023-0664 (2 parts) CVE Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs), can be leveraged to begin a repair of the installation without validation that the repair is being performed by an administrative user. The MSI repair custom action "RegisterCom" and "UnregisterCom" is not set for impersonation which allows for the actions to occur as the SYSTEM account (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe to run qemu-ga.exe in line 134 and 142 which causes an interactive command shell to spawn even though the MSI is set to be non-interactive on line 53. Reported-by: Brian Wiltse v2: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05979.html v2 -> v3: Minor fix in commit messages v1: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05661.html v1 -> v2: Add explanation into commit messages Konstantin Kostiuk (2): qga/win32: Remove change action from MSI installer qga/win32: Use rundll for VSS installation qga/installer/qemu-ga.wxs | 11 ++++++----- qga/vss-win32/install.cpp | 9 +++++++++ qga/vss-win32/qga-vss.def | 2 ++ 3 files changed, 17 insertions(+), 5 deletions(-) --- 2.25.1