Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
loadlibrary: Only load system DLLs from the system directory
Inspiration provided by: Daniel Stenberg and Ray Satiro Bug: https://curl.haxx.se/docs/adv_20160530.html Ref: Windows DLL hijacking with curl, CVE-2016-4802
- Loading branch information
1 parent
ddf25f6
commit 6df916d
Showing
7 changed files
with
180 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
/*************************************************************************** | ||
* _ _ ____ _ | ||
* Project ___| | | | _ \| | | ||
* / __| | | | |_) | | | ||
* | (__| |_| | _ <| |___ | ||
* \___|\___/|_| \_\_____| | ||
* | ||
* Copyright (C) 2016, Steve Holme, <steve_holme@hotmail.com>. | ||
* | ||
* This software is licensed as described in the file COPYING, which | ||
* you should have received as part of this distribution. The terms | ||
* are also available at https://curl.haxx.se/docs/copyright.html. | ||
* | ||
* You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
* copies of the Software, and permit persons to whom the Software is | ||
* furnished to do so, under the terms of the COPYING file. | ||
* | ||
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
* KIND, either express or implied. | ||
* | ||
***************************************************************************/ | ||
|
||
#include "curl_setup.h" | ||
|
||
#if defined(WIN32) | ||
|
||
#if defined(USE_WINDOWS_SSPI) || (!defined(CURL_DISABLE_TELNET) && \ | ||
defined(USE_WINSOCK)) | ||
|
||
#include <curl/curl.h> | ||
#include "system_win32.h" | ||
|
||
/* The last #include files should be: */ | ||
#include "curl_memory.h" | ||
#include "memdebug.h" | ||
|
||
#if !defined(LOAD_WITH_ALTERED_SEARCH_PATH) | ||
#define LOAD_WITH_ALTERED_SEARCH_PATH 0x00000008 | ||
#endif | ||
|
||
#if !defined(LOAD_LIBRARY_SEARCH_SYSTEM32) | ||
#define LOAD_LIBRARY_SEARCH_SYSTEM32 0x00000800 | ||
#endif | ||
|
||
/* We use our own typedef here since some headers might lack these */ | ||
typedef HMODULE (APIENTRY *LOADLIBRARYEX_FN)(LPCTSTR, HANDLE, DWORD); | ||
|
||
/* See function definitions in winbase.h */ | ||
#ifdef UNICODE | ||
# ifdef _WIN32_WCE | ||
# define LOADLIBARYEX L"LoadLibraryExW" | ||
# else | ||
# define LOADLIBARYEX "LoadLibraryExW" | ||
# endif | ||
#else | ||
# define LOADLIBARYEX "LoadLibraryExA" | ||
#endif | ||
|
||
/* | ||
* Curl_load_library() | ||
* | ||
* This is used to dynamically load DLLs using the most secure method available | ||
* for the version of Windows that we are running on. | ||
* | ||
* Parameters: | ||
* | ||
* filename [in] - The filename or full path of the DLL to load. If only the | ||
* filename is passed then the DLL will be loaded from the | ||
* Windows system directory. | ||
* | ||
* Returns the handle of the module on success; otherwise NULL. | ||
*/ | ||
HMODULE Curl_load_library(LPCTSTR filename) | ||
{ | ||
HMODULE hModule = NULL; | ||
LOADLIBRARYEX_FN pLoadLibraryEx = NULL; | ||
|
||
/* Get a handle to kernel32 so we can access it's functions at runtime */ | ||
HMODULE hKernel32 = GetModuleHandle(TEXT("kernel32")); | ||
if(!hKernel32) | ||
return NULL; | ||
|
||
/* Attempt to find LoadLibraryEx() which is only available on Windows 2000 | ||
and above */ | ||
pLoadLibraryEx = (LOADLIBRARYEX_FN) GetProcAddress(hKernel32, LOADLIBARYEX); | ||
|
||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. |
||
/* Detect if there's already a path in the filename and load the library if | ||
there is. Note: Both back slashes and forward slashes have been supported | ||
since the earlier days of DOS at an API level although they are not | ||
supported by command prompt */ | ||
if(_tcspbrk(filename, TEXT("\\/"))) | ||
hModule = pLoadLibraryEx ? | ||
pLoadLibraryEx(filename, NULL, LOAD_WITH_ALTERED_SEARCH_PATH) : | ||
LoadLibrary(filename); | ||
/* Detect if KB2533623 is installed, as LOAD_LIBARY_SEARCH_SYSTEM32 is only | ||
supported on Windows Vista, Windows Server 2008, Windows 7 and Windows | ||
Server 2008 R2 with this patch or natively on Windows 8 and above */ | ||
else if(pLoadLibraryEx && GetProcAddress(hKernel32, "AddDllDirectory")) { | ||
/* Load the DLL from the Windows system directory */ | ||
hModule = pLoadLibraryEx(filename, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32); | ||
} | ||
else { | ||
/* Attempt to get the Windows system path */ | ||
UINT systemdirlen = GetSystemDirectory(NULL, 0); | ||
if(systemdirlen) { | ||
/* Allocate space for the full DLL path (Room for the null terminator | ||
is included in systemdirlen) */ | ||
size_t filenamelen = _tcslen(filename); | ||
TCHAR *path = malloc(sizeof(TCHAR) * (systemdirlen + 1 + filenamelen)); | ||
if(path && GetSystemDirectory(path, systemdirlen)) { | ||
/* Calculate the full DLL path */ | ||
_tcscpy(path + _tcslen(path), TEXT("\\")); | ||
_tcscpy(path + _tcslen(path), filename); | ||
|
||
/* Load the DLL from the Windows system directory */ | ||
hModule = pLoadLibraryEx ? | ||
pLoadLibraryEx(path, NULL, LOAD_WITH_ALTERED_SEARCH_PATH) : | ||
LoadLibrary(path); | ||
|
||
free(path); | ||
} | ||
} | ||
} | ||
|
||
return hModule; | ||
} | ||
|
||
#endif /* USE_WINDOWS_SSPI || (!CURL_DISABLE_TELNET && USE_WINSOCK) */ | ||
|
||
#endif /* WIN32 */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
#ifndef HEADER_CURL_SYSTEM_WIN32_H | ||
#define HEADER_CURL_SYSTEM_WIN32_H | ||
/*************************************************************************** | ||
* _ _ ____ _ | ||
* Project ___| | | | _ \| | | ||
* / __| | | | |_) | | | ||
* | (__| |_| | _ <| |___ | ||
* \___|\___/|_| \_\_____| | ||
* | ||
* Copyright (C) 2016, Steve Holme, <steve_holme@hotmail.com>. | ||
* | ||
* This software is licensed as described in the file COPYING, which | ||
* you should have received as part of this distribution. The terms | ||
* are also available at https://curl.haxx.se/docs/copyright.html. | ||
* | ||
* You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
* copies of the Software, and permit persons to whom the Software is | ||
* furnished to do so, under the terms of the COPYING file. | ||
* | ||
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
* KIND, either express or implied. | ||
* | ||
***************************************************************************/ | ||
|
||
#include "curl_setup.h" | ||
|
||
#if defined(WIN32) | ||
|
||
#if defined(USE_WINDOWS_SSPI) || (!defined(CURL_DISABLE_TELNET) && \ | ||
defined(USE_WINSOCK)) | ||
|
||
/* This is used to dynamically load DLLs */ | ||
HMODULE Curl_load_library(LPCTSTR filename); | ||
|
||
#endif /* USE_WINDOWS_SSPI || (!CURL_DISABLE_TELNET && USE_WINSOCK) */ | ||
|
||
#endif /* WIN32 */ | ||
|
||
#endif /* HEADER_CURL_SYSTEM_WIN32_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Wouldn't it make more sense to set
hKernel32
andpLoadLibraryEx
only once? I.e. inwin32_init()
called bycurl_global_init()
. Thus the whole file should not depend onUSE_WINDOWS_SSPI
and/orCURL_DISABLE_TELNET
. Much cleaner IMHO.