From 967a3b9419a3c12b8c0870c86d1ee3840bcbbad7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 30 May 2017 13:35:59 -0700 Subject: [PATCH] [master] quote service registry paths 4532. [security] The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. (CVE-2017-3141) [RT #45229] --- CHANGES | 4 ++++ bin/win32/BINDInstall/BINDInstallDlg.cpp | 29 +++++++++++++++++++++--- doc/arm/notes.xml | 7 ++++++ 3 files changed, 37 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 64ebb2d70e..5bcd16e1a3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4532. [security] The BIND installer on Windows used an unquoted + service path, which can enable privilege escalation. + (CVE-2017-3141) [RT #45229] + 4531. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181] diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index 041f651a1b..3569f8d352 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -50,6 +50,7 @@ #include "DirBrowse.h" #include #include +#include #include #include #include @@ -615,8 +616,16 @@ void CBINDInstallDlg::OnInstall() { (LPBYTE)(LPCTSTR)buf, buf.GetLength()); buf.Format("%s\\BINDInstall.exe", m_binDir); + + CStringA installLocA(buf); + const char *str = (const char *) installLocA; + char pathBuffer[2 * MAX_PATH]; + strncpy(pathBuffer, str, sizeof(pathBuffer) - 1); + pathBuffer[sizeof(pathBuffer) - 1] = 0; + PathQuoteSpaces(pathBuffer); + RegSetValueEx(hKey, "UninstallString", 0, REG_SZ, - (LPBYTE)(LPCTSTR)buf, buf.GetLength()); + (LPBYTE)(LPCTSTR)pathBuffer, strlen(pathBuffer)); RegCloseKey(hKey); } @@ -1011,10 +1020,17 @@ CBINDInstallDlg::RegisterService() { CString namedLoc; namedLoc.Format("%s\\bin\\named.exe", m_targetDir); + CStringA namedLocA(namedLoc); + const char *str = (const char *) namedLocA; + char pathBuffer[2 * MAX_PATH]; + strncpy(pathBuffer, str, sizeof(pathBuffer) - 1); + pathBuffer[sizeof(pathBuffer) - 1] = 0; + PathQuoteSpaces(pathBuffer); + SetCurrent(IDS_CREATE_SERVICE); hService = CreateService(hSCManager, BIND_SERVICE_NAME, BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart, - SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, StartName, + SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName, m_accountPassword); if (!hService && GetLastError() != ERROR_SERVICE_EXISTS) @@ -1053,6 +1069,13 @@ CBINDInstallDlg::UpdateService(CString StartName) { CString namedLoc; namedLoc.Format("%s\\bin\\named.exe", m_targetDir); + CStringA namedLocA(namedLoc); + const char *str = (const char *) namedLocA; + char pathBuffer[2 * MAX_PATH]; + strncpy(pathBuffer, str, sizeof(pathBuffer) - 1); + pathBuffer[sizeof(pathBuffer) - 1] = 0; + PathQuoteSpaces(pathBuffer); + SetCurrent(IDS_OPEN_SERVICE); hService = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_CHANGE_CONFIG); @@ -1064,7 +1087,7 @@ CBINDInstallDlg::UpdateService(CString StartName) { return; } else { if (ChangeServiceConfig(hService, dwServiceType, dwStart, - SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, + SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName, m_accountPassword, BIND_DISPLAY_NAME) != TRUE) { DWORD err = GetLastError(); diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 2b1230f915..6711acaaf8 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -67,6 +67,13 @@
Security Fixes + + + The BIND installer on Windows used an unquoted service path, + which can enable privilege escalation. This flaw is disclosed + in CVE-2017-3141. [RT #45229] + + With certain RPZ configurations, a response with TTL 0