Headline
CVE-2019-9634: runtime: dll injection vulnerabilities on Windows (CVE-2019-9634) · Issue #30642 · golang/go
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
Comments
zx2c4 changed the title runtime: dll injection vulnerabilities on Windows runtime: dll injection vulnerabilities on Windows (CVE-2019-9634)
Mar 8, 2019
gopherbot pushed a commit to golang/sys that referenced this issue
Mar 10, 2019
The %WINDIR% variable is an odd choice and not even entirely reliable. Since Windows 2000, there has been a specific function for determining this information, so let’s use it. It’s also a useful function in its own right for folks who want to launch system tools in a somewhat safe way, like netsh.exe.
Updates golang/go#14959 Updates golang/go#30642
Change-Id: Ic24baf37d14f2daced0c1db2771b5a673d2c8852 Reviewed-on: https://go-review.googlesource.com/c/sys/+/165759 Run-TryBot: Brad Fitzpatrick [email protected] TryBot-Result: Gobot Gobot [email protected] Reviewed-by: Alex Brainman [email protected]
gopherbot pushed a commit that referenced this issue
Mar 24, 2019
While many other call sites have been moved to using the proper higher-level system loading, these areas were left out. This prevents DLL directory injection attacks. This includes both the runtime load calls (using LoadLibrary prior) and the implicitly linked ones via cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to only loosely load kernel32.dll and strictly load all others.
Meanwhile we make sure that we never fallback to insecure loading on older or unpatched systems.
This is CVE-2019-9634.
Fixes #30666 Updates #14959 Updates #28978 Updates #30642
Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93 Reviewed-on: https://go-review.googlesource.com/c/go/+/165798 Run-TryBot: Brad Fitzpatrick [email protected] TryBot-Result: Gobot Gobot [email protected] Reviewed-by: Alex Brainman [email protected] (cherry picked from commit 9b6e9f0) Reviewed-on: https://go-review.googlesource.com/c/go/+/168339 Reviewed-by: Dmitri Shuralyov [email protected] Reviewed-by: Andrew Bonventre [email protected]
gopherbot pushed a commit that referenced this issue
May 6, 2019
While many other call sites have been moved to using the proper higher-level system loading, these areas were left out. This prevents DLL directory injection attacks. This includes both the runtime load calls (using LoadLibrary prior) and the implicitly linked ones via cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to only loosely load kernel32.dll and strictly load all others.
Meanwhile we make sure that we never fallback to insecure loading on older or unpatched systems.
This is CVE-2019-9634.
Fixes #30989 Updates #14959 Updates #28978 Updates #30642
Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93 Reviewed-on: https://go-review.googlesource.com/c/go/+/165798 Run-TryBot: Brad Fitzpatrick [email protected] TryBot-Result: Gobot Gobot [email protected] Reviewed-by: Alex Brainman [email protected] (cherry picked from commit 9b6e9f0) Reviewed-on: https://go-review.googlesource.com/c/go/+/175378 Run-TryBot: Dmitri Shuralyov [email protected] Reviewed-by: Andrew Bonventre [email protected]
golang locked and limited conversation to collaborators
May 5, 2020