From 85eae2a7444ebd3b31b71ecf6ed1602f23a68926 Mon Sep 17 00:00:00 2001 From: Nick Bolton Date: Thu, 3 Oct 2013 14:24:58 +0000 Subject: [PATCH] fixed: exploit, \Program.exe is launched instead of synergy binaries. --- src/gui/src/MainWindow.cpp | 6 ++++++ src/lib/arch/CArchDaemonWindows.cpp | 16 +++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/gui/src/MainWindow.cpp b/src/gui/src/MainWindow.cpp index 6d7f4754..af8d91e8 100644 --- a/src/gui/src/MainWindow.cpp +++ b/src/gui/src/MainWindow.cpp @@ -485,6 +485,9 @@ bool MainWindow::clientArgs(QStringList& args, QString& app) return false; } + // wrap in quotes so a malicious user can't start \Program.exe as admin. + app = QString("\"%1\"").arg(app); + if (m_pLineEditHostname->text().isEmpty()) { show(); @@ -560,6 +563,9 @@ bool MainWindow::serverArgs(QStringList& args, QString& app) return false; } + // wrap in quotes so a malicious user can't start \Program.exe as admin. + app = QString("\"%1\"").arg(app); + if (appConfig().logToFile()) { appConfig().persistLogDir(); diff --git a/src/lib/arch/CArchDaemonWindows.cpp b/src/lib/arch/CArchDaemonWindows.cpp index a24d7a35..ac25bfc1 100644 --- a/src/lib/arch/CArchDaemonWindows.cpp +++ b/src/lib/arch/CArchDaemonWindows.cpp @@ -817,7 +817,21 @@ CArchDaemonWindows::installDaemon() // install default daemon if not already installed. if (!isDaemonInstalled(DEFAULT_DAEMON_NAME, true)) { char path[MAX_PATH]; - GetModuleFileName(CArchMiscWindows::instanceWin32(), path, MAX_PATH); + GetModuleFileName(CArchMiscWindows::instanceWin32(), &path[1], MAX_PATH - 2); + + int length = 0; + for (int i = 0; i < MAX_PATH; i++) { + if (path[i] == '\0') { + length = i; + break; + } + } + + // wrap in quotes so a malicious user can't start \Program.exe as admin. + path[0] = '"'; + path[length] = '"'; + path[length + 1] = '\0'; + installDaemon(DEFAULT_DAEMON_NAME, DEFAULT_DAEMON_INFO, path, "", "", true); }