Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installer vulnerable to DLL side-loading #121

Closed
CrossVR opened this issue Nov 27, 2016 · 7 comments
Closed

Installer vulnerable to DLL side-loading #121

CrossVR opened this issue Nov 27, 2016 · 7 comments

Comments

@CrossVR
Copy link

CrossVR commented Nov 27, 2016

Just a friendly reminder to update the version of NSIS you are using to compile the installer to a more recent version. Currently it will load malicious DLLs in the user's Downloads directory as explained here: https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/
@Et0h
Copy link
Contributor

Et0h commented Nov 27, 2016

Thanks for the heads up. Syncplay currently uses NSIS 2.46.5-Unicode but it sounds like we may need to port things over to NSIS 3 (which now has Unicode support by default).

@CrossVR
Copy link
Author

CrossVR commented Nov 27, 2016

According to the article updating to 2.5 should also fix it without needing to port stuff to NSIS 3.

@Et0h
Copy link
Contributor

Et0h commented Nov 27, 2016

Are there any trustworthy builds of NSIS Unicode updated to 2.5?

https://code.google.com/archive/p/unsis/downloads only goes up to 2.46.5 (the version I am currently on, which is susceptible to the DLL hijack vector).

The most recent post on the official NSIS Unicode thread at http://forums.winamp.com/showpost.php?p=3050784&postcount=571 is from March 2016 and states: "The old Unicode NSIS 2 hasn't been rebuilt in a stable release in quite a while. There were still code contributions trickling in after the last stable. It is vulnerable to the DLL hijack issue that the latest NSIS2 and NSIS3b3 releases patched. I'd recommend switching to NSIS3b3."

@CrossVR
Copy link
Author

CrossVR commented Nov 27, 2016

I'm guessing these are the ASCII builds then? https://sourceforge.net/projects/nsis/files/NSIS%202/

@Et0h
Copy link
Contributor

Et0h commented Nov 27, 2016
edited

Yes, although I think that technically they are not called 'ASCII builds' of NSIS but are instead referred to as 'ANSI builds' of NSIS. Whatever the terminology, they are not Unicode builds of NSIS.

According to https://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System "Versions of NSIS before 3.0 did not support Unicode, but only a means to convert some files to different encodings via a plugin. However, a variant of NSIS that has full Unicode support is available [i.e. the Unicode version I discussed above]".

Et0h added a commit that referenced this issue Dec 3, 2016
@Et0h
Moved from NSIS Unicode to NSIS 3 due to #121 (raised by Armada651)
6533aa8
@Et0h
Copy link
Contributor

Et0h commented Dec 3, 2016

buildPy2exe.py should now be compatible with NSIS 3 so future builds of Syncplay will not be susceptible to the DLL side-loading vulnerability :)

@Et0h Et0h closed this as completed Dec 3, 2016
@CrossVR
Copy link
Author

CrossVR commented Dec 3, 2016

Thanks 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CrossVR @Et0h