Skip to content

Commit c3c39f7

Browse files
committed
* This commit effectively fixes https://www.kb.cert.org/vuls/id/403768 (CVE-2017-13083) as it is described per its revision 11, which is the latest revision at the time of this commit, by disabling Windows prompts, enacted during signature validation, that allow the user to bypass the intended signature verification checks. * It needs to be pointed out that the vulnerability ("allow(ing) the use of a self-signed certificate"), which relies on the end-user actively ignoring a Windows prompt that tells them that the update failed the signature validation whilst also advising against running it, is being fully addressed, even as the update protocol remains HTTP. * It also need to be pointed out that the extended delay (48 hours) between the time the vulnerability was reported and the moment it is fixed in our codebase has to do with the fact that the reporter chose to deviate from standard security practices by not disclosing the details of the vulnerability with us, be it publicly or privately, before creating the cert.org report. The only advance notification we received was a generic note about the use of HTTP vs HTTPS, which, as have established, is not immediately relevant to addressing the reported vulnerability. * Closes #1009 * Note: The other vulnerability scenario described towards the end of #1009, which doesn't have to do with the "lack of CA checking", will be addressed separately.
1 parent fe3004d commit c3c39f7

File tree

4 files changed

+40
-8
lines changed

4 files changed

+40
-8
lines changed

Diff for: res/localization/rufus.loc

+3
Original file line numberDiff line numberDiff line change
@@ -487,6 +487,9 @@ t MSG_237 "Bad Blocks: Testing with pattern 0x%02X"
487487
# eg. "Partitioning (MBR)..."
488488
t MSG_238 "Partitioning (%s)..."
489489
t MSG_239 "Deleting partitions..."
490+
t MSG_240 "The signature for the downloaded update can not be validated. This could mean that your "
491+
"system is improperly configured for signature validation or indicate a malicious download.\n\n"
492+
"The download will be deleted. Please check the log for more details."
490493
t MSG_241 "Downloading: %0.1f%%"
491494
t MSG_242 "Failed to download file."
492495
t MSG_243 "Checking for Rufus updates..."

Diff for: src/pki.c

+27-2
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ const char* WinPKIErrorString(void)
5353
static char error_string[64];
5454
DWORD error_code = GetLastError();
5555

56-
if ((error_code >> 16) != 0x8009)
56+
if (((error_code >> 16) != 0x8009) && ((error_code >> 16) != 0x800B))
5757
return WindowsErrorString();
5858

5959
switch (error_code) {
@@ -113,6 +113,12 @@ const char* WinPKIErrorString(void)
113113
return "Cannot complete usage check.";
114114
case CRYPT_E_NO_TRUSTED_SIGNER:
115115
return "None of the signers of the cryptographic message or certificate trust list is trusted.";
116+
case CERT_E_UNTRUSTEDROOT:
117+
return "The root certificate is not trusted.";
118+
case TRUST_E_NOSIGNATURE:
119+
return "Not digitally signed.";
120+
case TRUST_E_EXPLICIT_DISTRUST:
121+
return "One of the certificates used was marked as untrusted by the user.";
116122
default:
117123
static_sprintf(error_string, "Unknown PKI error 0x%08lX", error_code);
118124
return error_string;
@@ -268,7 +274,13 @@ LONG ValidateSignature(HWND hDlg, const char* path)
268274
}
269275

270276
trust_data.cbStruct = sizeof(trust_data);
271-
trust_data.dwUIChoice = WTD_UI_ALL;
277+
// NB: WTD_UI_ALL can result in ERROR_SUCCESS even if the signature validation fails,
278+
// because it still prompts the user to run untrusted software, even after explicitly
279+
// notifying them that the signature invalid (and of course Microsoft had to make
280+
// that UI prompt a bit too similar to the other benign prompt you get when running
281+
// trusted software, which, as per cert.org's assessment, may confuse non-security
282+
// conscious-users who decide to gloss over these kind of notifications).
283+
trust_data.dwUIChoice = WTD_UI_NONE;
272284
// We just downloaded from the Internet, so we should be able to check revocation
273285
trust_data.fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN;
274286
// 0x400 = WTD_MOTW for Windows 8.1 or later
@@ -278,6 +290,19 @@ LONG ValidateSignature(HWND hDlg, const char* path)
278290

279291
r = WinVerifyTrust(NULL, &guid_generic_verify, &trust_data);
280292
safe_free(trust_file.pcwszFilePath);
293+
switch (r) {
294+
case ERROR_SUCCESS:
295+
break;
296+
case TRUST_E_NOSIGNATURE:
297+
// Should already have been reported, but since we have a custom message for it...
298+
uprintf("PKI: File does not appear to be signed: %s", WinPKIErrorString());
299+
MessageBoxExU(hDlg, lmprintf(MSG_284), lmprintf(MSG_283), MB_OK | MB_ICONERROR | MB_IS_RTL, selected_langid);
300+
break;
301+
default:
302+
uprintf("PKI: Failed to validate signature: %s", WinPKIErrorString());
303+
MessageBoxExU(hDlg, lmprintf(MSG_240), lmprintf(MSG_283), MB_OK | MB_ICONERROR | MB_IS_RTL, selected_langid);
304+
break;
305+
}
281306

282307
return r;
283308
}

Diff for: src/rufus.rc

+5-5
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
3333
IDD_DIALOG DIALOGEX 12, 12, 242, 376
3434
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
3535
EXSTYLE WS_EX_ACCEPTFILES
36-
CAPTION "Rufus 2.17.1186"
36+
CAPTION "Rufus 2.17.1187"
3737
FONT 8, "Segoe UI Symbol", 400, 0, 0x0
3838
BEGIN
3939
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
@@ -366,8 +366,8 @@ END
366366
//
367367

368368
VS_VERSION_INFO VERSIONINFO
369-
FILEVERSION 2,17,1186,0
370-
PRODUCTVERSION 2,17,1186,0
369+
FILEVERSION 2,17,1187,0
370+
PRODUCTVERSION 2,17,1187,0
371371
FILEFLAGSMASK 0x3fL
372372
#ifdef _DEBUG
373373
FILEFLAGS 0x1L
@@ -384,13 +384,13 @@ BEGIN
384384
BEGIN
385385
VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
386386
VALUE "FileDescription", "Rufus"
387-
VALUE "FileVersion", "2.17.1186"
387+
VALUE "FileVersion", "2.17.1187"
388388
VALUE "InternalName", "Rufus"
389389
VALUE "LegalCopyright", "� 2011-2017 Pete Batard (GPL v3)"
390390
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
391391
VALUE "OriginalFilename", "rufus.exe"
392392
VALUE "ProductName", "Rufus"
393-
VALUE "ProductVersion", "2.17.1186"
393+
VALUE "ProductVersion", "2.17.1187"
394394
END
395395
END
396396
BLOCK "VarFileInfo"

Diff for: src/stdlg.c

+5-1
Original file line numberDiff line numberDiff line change
@@ -1674,8 +1674,12 @@ INT_PTR CALLBACK NewVersionCallback(HWND hDlg, UINT message, WPARAM wParam, LPAR
16741674
case 2: // Launch newer version and close this one
16751675
Sleep(1000); // Add a delay on account of antivirus scanners
16761676

1677-
if (ValidateSignature(hDlg, filepath) != NO_ERROR)
1677+
if (ValidateSignature(hDlg, filepath) != NO_ERROR) {
1678+
// Unconditionally delete the download and disable the "Launch" control
1679+
_unlinkU(filepath);
1680+
EnableWindow(GetDlgItem(hDlg, IDC_DOWNLOAD), FALSE);
16781681
break;
1682+
}
16791683

16801684
memset(&si, 0, sizeof(si));
16811685
memset(&pi, 0, sizeof(pi));

0 commit comments

Comments
 (0)