From: SourceForge.net <no...@so...> - 2010-11-30 22:30:10
|
Bugs item #3109312, was opened at 2010-11-15 12:15 Message generated for change (Settings changed) made by tjaden You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105665&aid=3109312&group_id=5665 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Windows Group: 4.9 >Status: Closed >Resolution: Fixed Priority: 8 Private: No Submitted By: Peter Wang (tjaden) Assigned to: Nobody/Anonymous (nobody) Summary: DLL hijacking Initial Comment: I believe Allegro is vulnerable to DLL hijacking due to calling LoadLibrary with unqualified file names. An attacker may ask the victim to open a file with an Allegro application that the victim has installed. Also in that directory is a malicious copy of a DLL that Allegro loads at runtime. This could over a network share, and the malicious DLL may be hidden. The solution would be to ensure that we only load DLLs from "trusted" locations: the system directories, or the directory containing the application executable or Allegro main DLL (if possible). References: http://www.microsoft.com/technet/security/advisory/2269637.mspx http://msdn.microsoft.com/en-us/library/ff919712(VS.85).aspx ---------------------------------------------------------------------- Comment By: Peter Wang (tjaden) Date: 2010-11-16 12:51 Message: I think the relevant functions are GetModuleFileName and GetSystemDirectory. ---------------------------------------------------------------------- Comment By: Peter Wang (tjaden) Date: 2010-11-16 12:42 Message: We load d3d9.dll, dinput8.dll, FLAC, DUMB and vorbisfile. It's possible to disable loading of the latter three, but not the former. The first two are probably likely to be found in the system directories, so I assume that makes them less of a threat. ---------------------------------------------------------------------- Comment By: Elias Pschernig (elias) Date: 2010-11-15 20:52 Message: Which .dlls are affected? I assume this has to do with the audio decoders only. And is there a way to compile the audio addon DLL (if that's the only problematic one) in a way so it will not load additional dlls at runtime? To properly fix this, we may want an additional API function for specifying the location of runtime DLLs. As far as I can see currently the only way to distribute an A5 app is to rely on such DLLs being found in the current directory and issuing a chdir to that directory before al_init - so removing the current dir from the search path would not be a solution. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105665&aid=3109312&group_id=5665 |