From: Tatsuro M. <tma...@ya...> - 2010-11-15 23:46:50
|
Hello In the gnuplot thread in Japan, the topic of the DLL Preloading Attack in the gnuplot for windows, have been discussed In winmain.c, the function GetDllVersion(LPCTSTR lpszDllName) is defined. In the function, the below is the decribed /* For security purposes, LoadLibrary should be provided with a fully-qualified path to the DLL. The lpszDllName variable should be tested to ensure that it is a fully qualified path before it is used. */ However, in function appdata_directory(void) I found hShell32 = LoadLibrary(TEXT("shell32.dll")); GetDllVersion(LPCTSTR lpszDllName) is not used for this code. However, in winmenu.c, I found if (GetDllVersion(TEXT("shell32.dll")) >= PACKVERSION(4,0)) { Is it better to carry out similar check for hShell32 = LoadLibrary(TEXT("shell32.dll")); in the function appdata_directory(void) ? Or am I misleading the situation ? BTW, http://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx Windows XP and Windows 2000 with SP4: Safe DLL search mode is disabled by default. To enable this feature, create the SafeDllSearchMode registry value and set it to 1. Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2). Windows 2000: The SafeDllSearchMode value is not supported. The DLL search order is identical to the search order that occurs when safe DLL search mode is disabled. The SafeDllSearchMode value is supported starting with Windows 2000 with SP4. 1.The directory from which the application loaded. 2.The system directory. Use the GetSystemDirectory function to get the path of this directory. 3.The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. 4.The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. 5.The current directory. 6.The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path. Perhaps most win XP users uses XP sp3, so that hShell32 = LoadLibrary(TEXT("shell32.dll")); may not be a problem. However, for windows 2000, "The SafeDllSearchMode value is supported starting with Windows 2000 with SP4." However, SafeDllSearchMode is disabled in windows 2000 sp4. Therefore, hShell32 = LoadLibrary(TEXT("shell32.dll")); may not be secure only for users of windows 2000. Regards Tatsuro -------------------------------------- Get the new Internet Explorer 8 optimized for Yahoo! JAPAN http://pr.mail.yahoo.co.jp/ie8/ |