screenhooks DLL loaded by name only -- susceptible to DLL planting (2.8.87)

Brought to you by: anton19286, const_k, crazy-walrus

#1666 screenhooks DLL loaded by name only -- susceptible to DLL planting (2.8.87)

Status: open

Owner: nobody

Labels: Server (9) Win32 (10)

Priority: 6

Updated: 1 day ago

Created: 1 day ago

Creator: Securin Disclose

Private: No

DynamicLibrary::init() (win-system/DynamicLibrary.cpp:49):
m_module = LoadLibrary(filename);

HookInstaller passes "screenhooks32.dll" / "screenhooks64.dll" with no
path and no LOAD_LIBRARY_SEARCH_* flags. Windows search order includes
the application directory and PATH directories before System32.

I searched the entire source tree: zero calls to SetDllDirectory(),
AddDllDirectory(), or LoadLibraryEx() with safe flags. ThemeLib
(gui/ThemeLib.cpp) has the same bare LoadLibrary() pattern.

If an attacker plants a malicious screenhooks64.dll in the install
directory (common with permissive ACLs on third-party installs), the
SYSTEM-account TightVNC service loads it at startup.

Attached PoC confirms: no safe flags in codebase; dummy DLL found
by LoadLibrary before System32; LoadLibrary() err=193 (found but not
a valid PE, proving the search path was reached).

Fix: GetModuleFileName() -> full path -> LoadLibraryEx() with
LOAD_LIBRARY_SEARCH_APPLICATION_DIR | LOAD_LIBRARY_SEARCH_SYSTEM32.
Version: 2.8.87.

screenhooks DLL loaded by name only -- susceptible to DLL planting (2.8.87)

Group

Searches

Help

#1666 screenhooks DLL loaded by name only -- susceptible to DLL planting (2.8.87)

Discussion