Commit 967a3b94 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] quote service registry paths

4532.	[security]	The BIND installer on Windows used an unquoted
                        service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]
parent 2648c49b
4532. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4531. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
......
......@@ -50,6 +50,7 @@
#include "DirBrowse.h"
#include <winsvc.h>
#include <shlobj.h>
#include <shlwapi.h>
#include <named/ntservice.h>
#include <isc/bind_registry.h>
#include <isc/ntgroups.h>
......@@ -615,8 +616,16 @@ void CBINDInstallDlg::OnInstall() {
(LPBYTE)(LPCTSTR)buf, buf.GetLength());
buf.Format("%s\\BINDInstall.exe", m_binDir);
CStringA installLocA(buf);
const char *str = (const char *) installLocA;
char pathBuffer[2 * MAX_PATH];
strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
pathBuffer[sizeof(pathBuffer) - 1] = 0;
PathQuoteSpaces(pathBuffer);
RegSetValueEx(hKey, "UninstallString", 0, REG_SZ,
(LPBYTE)(LPCTSTR)buf, buf.GetLength());
(LPBYTE)(LPCTSTR)pathBuffer, strlen(pathBuffer));
RegCloseKey(hKey);
}
......@@ -1011,10 +1020,17 @@ CBINDInstallDlg::RegisterService() {
CString namedLoc;
namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
CStringA namedLocA(namedLoc);
const char *str = (const char *) namedLocA;
char pathBuffer[2 * MAX_PATH];
strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
pathBuffer[sizeof(pathBuffer) - 1] = 0;
PathQuoteSpaces(pathBuffer);
SetCurrent(IDS_CREATE_SERVICE);
hService = CreateService(hSCManager, BIND_SERVICE_NAME,
BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, StartName,
SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName,
m_accountPassword);
if (!hService && GetLastError() != ERROR_SERVICE_EXISTS)
......@@ -1053,6 +1069,13 @@ CBINDInstallDlg::UpdateService(CString StartName) {
CString namedLoc;
namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
CStringA namedLocA(namedLoc);
const char *str = (const char *) namedLocA;
char pathBuffer[2 * MAX_PATH];
strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
pathBuffer[sizeof(pathBuffer) - 1] = 0;
PathQuoteSpaces(pathBuffer);
SetCurrent(IDS_OPEN_SERVICE);
hService = OpenService(hSCManager, BIND_SERVICE_NAME,
SERVICE_CHANGE_CONFIG);
......@@ -1064,7 +1087,7 @@ CBINDInstallDlg::UpdateService(CString StartName) {
return;
} else {
if (ChangeServiceConfig(hService, dwServiceType, dwStart,
SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL,
SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL,
StartName, m_accountPassword, BIND_DISPLAY_NAME)
!= TRUE) {
DWORD err = GetLastError();
......
......@@ -67,6 +67,13 @@
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
The BIND installer on Windows used an unquoted service path,
which can enable privilege escalation. This flaw is disclosed
in CVE-2017-3141. [RT #45229]
</para>
</listitem>
<listitem>
<para>
With certain RPZ configurations, a response with TTL 0
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment