Menu
▾
▴
[NSIS-Bugs] [ nsis-Bugs-3052308 ] Current directory LoadLibrary "Exploit"
|
From: SourceForge.net <no...@so...> - 2010-08-24 14:11:25
|
Bugs item #3052308, was opened at 2010-08-24 16:11 Message generated for change (Tracker Item Submitted) made by anders_k You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=373085&aid=3052308&group_id=22049 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: Yes Submitted By: Anders (anders_k) Assigned to: Nobody/Anonymous (nobody) Summary: Current directory LoadLibrary "Exploit" Initial Comment: This might be a old and known issue, but it is back in the "media" again ( http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html ) Maybe we should take a look at this even though we are probably not a major target (Tricking the user to start a ...exe, why use a dll loading exploit at all?) After a quick look at the code, I would guess the problematic dll's are: RichEd*, SHLWAPI and SHFOLDER. (Version and ComCtl32 are not on the KnownDLLs list, but we are not dynamically loading those, so we have to rely on windows doing it correctly for us) If we decide that we need to deal with this, we could add our own myLoadLibrary. SetDllDirectory was added in XP:SP1 ( http://msdn.microsoft.com/en-us/library/ms682586.aspx#Dynamic-Link Library Search Order ) so we either just use that and screw older system (They don't get security updates either so the whole system is going to have security issues anyway, including this problem) Or we could do a whole dance: save current dir, set current dir = %windir%, loadlibrary, restore current dir. Either way, as far as I can tell, this would fix problems with evil current directory, but I don't see how we can stop LoadLibrary from looking in $exedir (If app is started from SMB/WebDAV?) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=373085&aid=3052308&group_id=22049 |