mirror of
https://github.com/pbatard/rufus.git
synced 2025-05-09 12:31:57 -04:00
622e60659c
* Current Rufus and earlier versions (when compiled with MinGW) suffer from a side-loading vulnerability due to cfgmgr32.dll being attempted to be loaded from the same directory as the executable. This may result in someone being able to execute elevated malicious code if they already have gained user-level access to the platform and were able to drop an arbitrary cfgmgr32.dll in the same directory as rufus. * While we were able to address similar vulnerabilities using delay-loading, this method does not appear to work for MinGW with this specific DLL, so we remove all the implicit CM_ function calls, that result in automated DLL loading that cannot be mitigated, to replace them with direct DLL hooks, which are not subject to Windows' default (vulnerable) DLL lookup behaviour. We still add the def for the delay loading in case we manage to find how to delay load cfgmgr32 with MinGW in the future... * Fixes CVE-2025-26624 (https://github.com/pbatard/rufus/security/advisories/GHSA-p8p5-r296-g2jv). * This vulnerability was discovered by @EmperialX working with @Shauryae1337 and reported by @EmperialX.
33 lines
1.5 KiB
Makefile
33 lines
1.5 KiB
Makefile
# Create delay-loaded libraries from a DLL, that aren't vulnerable to side-loading
|
|
AM_V_DLLTOOL_0 = @echo " LIB $@";$(DLLTOOL)
|
|
AM_V_DLLTOOL_1 = $(DLLTOOL)
|
|
AM_V_DLLTOOL_ = $(AM_V_DLLTOOL_$(AM_DEFAULT_VERBOSITY))
|
|
AM_V_DLLTOOL = $(AM_V_DLLTOOL_$(V))
|
|
|
|
AM_V_SED_0 = @echo " SED $<";$(SED)
|
|
AM_V_SED_1 = $(SED)
|
|
AM_V_SED_ = $(AM_V_SED_$(AM_DEFAULT_VERBOSITY))
|
|
AM_V_SED = $(AM_V_SED_$(V))
|
|
|
|
# Ah the joys of Windows DLL calling conventions, that require an @## suffix in the .def
|
|
# for x86_32 and but no @## for x86_64, thereby forcing us to strip stuff according to the
|
|
# target arch. Oh, and we can't use 'target_cpu' or AC definitions on account that we are
|
|
# switching archs when building on our local machine, and don't want to have to go though
|
|
# a costly reconf each time when we can simply issue a 'make clean'.
|
|
# Oh, and to find the number after the @ sign, just have a look at the MinGW .a libraries.
|
|
TUPLE := $(shell $(CC) -dumpmachine)
|
|
TARGET := $(word 1,$(subst -, ,$(TUPLE)))
|
|
DEF_SUFFIX := $(if $(TARGET:x86_64=),.def,.def64)
|
|
|
|
.PHONY: all
|
|
# Ideally, we would also have cfgmgr32-delaylib here, but it doesn't actually delay load... :(
|
|
all: dwmapi-delaylib.lib version-delaylib.lib virtdisk-delaylib.lib wininet-delaylib.lib wintrust-delaylib.lib
|
|
|
|
%.def64: %.def
|
|
$(AM_V_SED) "s/@.*//" $< >$@
|
|
|
|
%-delaylib.lib: %$(DEF_SUFFIX)
|
|
$(AM_V_DLLTOOL) --input-def $< --output-delaylib $@ --dllname $(basename $<).dll
|
|
|
|
clean:
|
|
$(RM) -rf *.lib
|