Headline
CVE-2016-3958: syscall: guard against Windows DLL preloading attacks · Issue #14959 · golang/go
Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.
Here is one of many programs I use on my PC.
C:\Program Files (x86)\Git\bin>objdump -p git.exe | grep Load
LoaderFlags 00000000
Entry a 00000000 00000000 Load Configuration Directory
19cc7c 524 LoadLibraryA 7dd7499f
C:\Program Files (x86)\Git\bin>dir *.dll
Volume in drive C has no label.
Volume Serial Number is F0C8-6DFE
Directory of C:\Program Files (x86)\Git\bin
07/12/2014 06:01 PM 1,154,665 libapr-0-0.dll
07/12/2014 06:01 PM 992,438 libaprutil-0-0.dll
07/12/2014 06:01 PM 1,724,229 libcrypto.dll
07/12/2014 06:01 PM 360,448 libcurl.dll
07/12/2014 06:01 PM 958,945 libexpat-0.dll
07/12/2014 06:01 PM 443,550 libgsasl-7.dll
07/12/2014 06:01 PM 1,241,889 libiconv-2.dll
07/12/2014 06:01 PM 293,380 libintl-8.dll
07/12/2014 06:01 PM 2,076,008 libneon-25.dll
07/12/2014 06:01 PM 4,884,531 libpoppler-7.dll
07/12/2014 06:01 PM 391,048 libssl.dll
07/12/2014 06:01 PM 1,218,359 libsvn_client-1-0.dll
07/12/2014 06:01 PM 851,272 libsvn_delta-1-0.dll
07/12/2014 06:01 PM 798,881 libsvn_diff-1-0.dll
07/12/2014 06:01 PM 792,459 libsvn_fs-1-0.dll
07/12/2014 06:01 PM 1,028,321 libsvn_fs_fs-1-0.dll
07/12/2014 06:01 PM 759,216 libsvn_ra-1-0.dll
07/12/2014 06:01 PM 1,017,784 libsvn_ra_dav-1-0.dll
07/12/2014 06:01 PM 800,669 libsvn_ra_local-1-0.dll
07/12/2014 06:01 PM 930,046 libsvn_ra_svn-1-0.dll
07/12/2014 06:01 PM 1,055,893 libsvn_repos-1-0.dll
07/12/2014 06:01 PM 1,248,729 libsvn_subr-1-0.dll
07/12/2014 06:01 PM 864,473 libsvn_swig_perl-1-0.dll
07/12/2014 06:01 PM 1,253,965 libsvn_wc-1-0.dll
07/12/2014 06:01 PM 812,063 libW11.dll
07/12/2014 06:01 PM 194,947 libz.dll
07/12/2014 06:01 PM 777,544 msys-1.0.dll
07/12/2014 06:01 PM 1,282,560 msys-crypto-1.0.0.dll
07/12/2014 06:01 PM 19,968 msys-minires.dll
07/12/2014 06:01 PM 939,520 msys-perl5_8.dll
07/12/2014 06:01 PM 82,852 msys-regex-1.dll
07/12/2014 06:01 PM 328,192 msys-ssl-1.0.0.dll
07/12/2014 06:01 PM 91,792 msys-z.dll
07/12/2014 06:01 PM 52,064 msysltdl-3.dll
07/12/2014 06:01 PM 65,124 pthreadGC2.dll
07/12/2014 06:01 PM 1,152,701 tcl85.dll
07/12/2014 06:01 PM 30,023 tclpip85.dll
07/12/2014 06:01 PM 1,410,875 tk85.dll
38 File(s) 34,381,423 bytes
0 Dir(s) 94,420,832,256 bytes free
C:\Program Files (x86)\Git\bin>
Just to demonstrate that behaviour you’re about to break is actually used by some products.
See the top comment in this bug: “2) Add a LoadLibraryEx to x/sys/win so that users can still get at the old behavior if they want it (by appropriate passing of flags).”
(A flags of 0 would mean the current behavior)
But that will still break my existing code. I don’t personally have problem like described in https://textplain.wordpress.com/2015/12/18/dll-hijacking-just-wont-die/. Why should I suffer? Why cannot we do what I suggested above? What is the downside?
Alex