New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installer vulnerable to DLL side-loading #121

Closed
Armada651 opened this Issue Nov 27, 2016 · 7 comments

Comments

Projects
None yet
2 participants
@Armada651

Armada651 commented Nov 27, 2016

Just a friendly reminder to update the version of NSIS you are using to compile the installer to a more recent version. Currently it will load malicious DLLs in the user's Downloads directory as explained here: https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/

@Et0h

This comment has been minimized.

Show comment
Hide comment
@Et0h

Et0h Nov 27, 2016

Contributor

Thanks for the heads up. Syncplay currently uses NSIS 2.46.5-Unicode but it sounds like we may need to port things over to NSIS 3 (which now has Unicode support by default).

Contributor

Et0h commented Nov 27, 2016

Thanks for the heads up. Syncplay currently uses NSIS 2.46.5-Unicode but it sounds like we may need to port things over to NSIS 3 (which now has Unicode support by default).

@Armada651

This comment has been minimized.

Show comment
Hide comment
@Armada651

Armada651 Nov 27, 2016

According to the article updating to 2.5 should also fix it without needing to port stuff to NSIS 3.

Armada651 commented Nov 27, 2016

According to the article updating to 2.5 should also fix it without needing to port stuff to NSIS 3.

@Et0h

This comment has been minimized.

Show comment
Hide comment
@Et0h

Et0h Nov 27, 2016

Contributor

Are there any trustworthy builds of NSIS Unicode updated to 2.5?

https://code.google.com/archive/p/unsis/downloads only goes up to 2.46.5 (the version I am currently on, which is susceptible to the DLL hijack vector).

The most recent post on the official NSIS Unicode thread at http://forums.winamp.com/showpost.php?p=3050784&postcount=571 is from March 2016 and states: "The old Unicode NSIS 2 hasn't been rebuilt in a stable release in quite a while. There were still code contributions trickling in after the last stable. It is vulnerable to the DLL hijack issue that the latest NSIS2 and NSIS3b3 releases patched. I'd recommend switching to NSIS3b3."

Contributor

Et0h commented Nov 27, 2016

Are there any trustworthy builds of NSIS Unicode updated to 2.5?

https://code.google.com/archive/p/unsis/downloads only goes up to 2.46.5 (the version I am currently on, which is susceptible to the DLL hijack vector).

The most recent post on the official NSIS Unicode thread at http://forums.winamp.com/showpost.php?p=3050784&postcount=571 is from March 2016 and states: "The old Unicode NSIS 2 hasn't been rebuilt in a stable release in quite a while. There were still code contributions trickling in after the last stable. It is vulnerable to the DLL hijack issue that the latest NSIS2 and NSIS3b3 releases patched. I'd recommend switching to NSIS3b3."

@Armada651

This comment has been minimized.

Show comment
Hide comment
@Armada651

Armada651 Nov 27, 2016

I'm guessing these are the ASCII builds then? https://sourceforge.net/projects/nsis/files/NSIS%202/

Armada651 commented Nov 27, 2016

I'm guessing these are the ASCII builds then? https://sourceforge.net/projects/nsis/files/NSIS%202/

@Et0h

This comment has been minimized.

Show comment
Hide comment
@Et0h

Et0h Nov 27, 2016

Contributor

Yes, although I think that technically they are not called 'ASCII builds' of NSIS but are instead referred to as 'ANSI builds' of NSIS. Whatever the terminology, they are not Unicode builds of NSIS.

According to https://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System "Versions of NSIS before 3.0 did not support Unicode, but only a means to convert some files to different encodings via a plugin. However, a variant of NSIS that has full Unicode support is available [i.e. the Unicode version I discussed above]".

Contributor

Et0h commented Nov 27, 2016

Yes, although I think that technically they are not called 'ASCII builds' of NSIS but are instead referred to as 'ANSI builds' of NSIS. Whatever the terminology, they are not Unicode builds of NSIS.

According to https://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System "Versions of NSIS before 3.0 did not support Unicode, but only a means to convert some files to different encodings via a plugin. However, a variant of NSIS that has full Unicode support is available [i.e. the Unicode version I discussed above]".

@Et0h

This comment has been minimized.

Show comment
Hide comment
@Et0h

Et0h Dec 3, 2016

Contributor

buildPy2exe.py should now be compatible with NSIS 3 so future builds of Syncplay will not be susceptible to the DLL side-loading vulnerability :)

Contributor

Et0h commented Dec 3, 2016

buildPy2exe.py should now be compatible with NSIS 3 so future builds of Syncplay will not be susceptible to the DLL side-loading vulnerability :)

@Et0h Et0h closed this Dec 3, 2016

@Armada651

This comment has been minimized.

Show comment
Hide comment
@Armada651

Armada651 Dec 3, 2016

Thanks 👍

Armada651 commented Dec 3, 2016

Thanks 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment