Headline

CVE-2016-3958: syscall: guard against Windows DLL preloading attacks · Issue #14959 · golang/go

Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.

8 years ago

CVE

Open in Source

#vulnerability #windows #git #wordpress #perl #ssl

Here is one of many programs I use on my PC.

C:\Program Files (x86)\Git\bin>objdump -p git.exe | grep Load
LoaderFlags             00000000
Entry a 00000000 00000000 Load Configuration Directory
        19cc7c    524  LoadLibraryA     7dd7499f

C:\Program Files (x86)\Git\bin>dir *.dll
 Volume in drive C has no label.
 Volume Serial Number is F0C8-6DFE

 Directory of C:\Program Files (x86)\Git\bin

07/12/2014  06:01 PM         1,154,665 libapr-0-0.dll
07/12/2014  06:01 PM           992,438 libaprutil-0-0.dll
07/12/2014  06:01 PM         1,724,229 libcrypto.dll
07/12/2014  06:01 PM           360,448 libcurl.dll
07/12/2014  06:01 PM           958,945 libexpat-0.dll
07/12/2014  06:01 PM           443,550 libgsasl-7.dll
07/12/2014  06:01 PM         1,241,889 libiconv-2.dll
07/12/2014  06:01 PM           293,380 libintl-8.dll
07/12/2014  06:01 PM         2,076,008 libneon-25.dll
07/12/2014  06:01 PM         4,884,531 libpoppler-7.dll
07/12/2014  06:01 PM           391,048 libssl.dll
07/12/2014  06:01 PM         1,218,359 libsvn_client-1-0.dll
07/12/2014  06:01 PM           851,272 libsvn_delta-1-0.dll
07/12/2014  06:01 PM           798,881 libsvn_diff-1-0.dll
07/12/2014  06:01 PM           792,459 libsvn_fs-1-0.dll
07/12/2014  06:01 PM         1,028,321 libsvn_fs_fs-1-0.dll
07/12/2014  06:01 PM           759,216 libsvn_ra-1-0.dll
07/12/2014  06:01 PM         1,017,784 libsvn_ra_dav-1-0.dll
07/12/2014  06:01 PM           800,669 libsvn_ra_local-1-0.dll
07/12/2014  06:01 PM           930,046 libsvn_ra_svn-1-0.dll
07/12/2014  06:01 PM         1,055,893 libsvn_repos-1-0.dll
07/12/2014  06:01 PM         1,248,729 libsvn_subr-1-0.dll
07/12/2014  06:01 PM           864,473 libsvn_swig_perl-1-0.dll
07/12/2014  06:01 PM         1,253,965 libsvn_wc-1-0.dll
07/12/2014  06:01 PM           812,063 libW11.dll
07/12/2014  06:01 PM           194,947 libz.dll
07/12/2014  06:01 PM           777,544 msys-1.0.dll
07/12/2014  06:01 PM         1,282,560 msys-crypto-1.0.0.dll
07/12/2014  06:01 PM            19,968 msys-minires.dll
07/12/2014  06:01 PM           939,520 msys-perl5_8.dll
07/12/2014  06:01 PM            82,852 msys-regex-1.dll
07/12/2014  06:01 PM           328,192 msys-ssl-1.0.0.dll
07/12/2014  06:01 PM            91,792 msys-z.dll
07/12/2014  06:01 PM            52,064 msysltdl-3.dll
07/12/2014  06:01 PM            65,124 pthreadGC2.dll
07/12/2014  06:01 PM         1,152,701 tcl85.dll
07/12/2014  06:01 PM            30,023 tclpip85.dll
07/12/2014  06:01 PM         1,410,875 tk85.dll
              38 File(s)     34,381,423 bytes
               0 Dir(s)  94,420,832,256 bytes free

C:\Program Files (x86)\Git\bin>

Just to demonstrate that behaviour you’re about to break is actually used by some products.

See the top comment in this bug: “2) Add a LoadLibraryEx to x/sys/win so that users can still get at the old behavior if they want it (by appropriate passing of flags).”

(A flags of 0 would mean the current behavior)

But that will still break my existing code. I don’t personally have problem like described in https://textplain.wordpress.com/2015/12/18/dll-hijacking-just-wont-die/. Why should I suffer? Why cannot we do what I suggested above? What is the downside?

Alex

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

10 months ago

10 months ago

10 months ago

10 months ago

10 months ago