-
Notifications
You must be signed in to change notification settings - Fork 430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2.2.{1,2}] Windows LoadLibrary DLL hijacking vulnerability (CVE-2017-11742) #82
Comments
Hi Viktor, quoting MSDN on flag
I am unsure if we can drop Support for Windows XP from Expat, so passing I only now start to wonder if it would be an option to call
On Windows XP the first call would fail but the second would succeed. On later systems, the first would succeed right away. That would add security for post-XP users and keep XP supported. Am I missing something? |
Passing IOW this patch doesn't affect Windows XP in any way: It won't fix the vulnerability, but let it continue to work just as it was working before the patch. |
Is that behaviour documented somewhere? |
I don't have a link for that, but it would be expected in order to retain backwards compatibility. To avoid assumptions, it'd be best to test this on a real Windows XP system (I don't have access to one though.) BTW, to make it more confusing, the flag is only supported on and above Windows 8. For Vista/7/etc, it requires patch To detect availability of this functionality (f.e. to fall-back to an alternate fix), this logic may be used: static int _has_search_system32()
{
if (_ISWIN8())
return 1;
else
{
HMODULE hKernel32 = GetModuleHandle(TEXT("kernel32.dll"));
if (hKernel32)
return _GETPROCADDRESS(hKernel32, "AddDllDirectory") != NULL; /* Detect KB2533623 */
}
return 0;
} (source: https://github.com/vszakats/harbour-core/blob/master/contrib/hbwin/wapi_misc.c, own work, thus not a proof.) |
For Windows, I depend on pull requests. I have added the |
IMO, Expat should only do a reasonable minimum in these cases, following
the principle of spearation of concerns.
In controlled environments one should probably use AppLocker: see
https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/.
One can also check the signature - it seems ADVAPI32.DLL has one, at least
on newer Windows versions.
I would not go out of our way to support XP, it is unsecure as it is
already.
Karl
…On Fri, Jul 14, 2017 at 5:16 PM, Sebastian Pipping ***@***.*** > wrote:
For Windows, I rely on pull request. I have added the help wanted label
now.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#82 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAoAqoPg7jCcNYMT0dU5KLHc78MOiD8Lks5sN9qtgaJpZM4OYr4O>
.
|
I also feel that a patch that solves this for recent Windows versions is much better than nothing. Waiting for someone interested enough to provide a full-blown solution that offers fix for XP and below as well, leaves the vulnerability open on the majority of machines in the meantime, which is not ideal. |
Wine 2.0 does ignore
but before we know 110% that |
Fixed by 99fb4b5 on |
I'd argue it's not fixed for Windows XP and unpatched Vista/7 plus the unusual fall-back logic to the standard search-path opened potentially new options for an attacker. It's the worse of both worlds :( |
FWIW, here's the patch to fix the exact same issue (CVE-2016-4802) in libcurl from a year ago: It resolves the problem for all Windows versions and would only add the flag if the required Windows patch is installed, without the unusual fall-back logic that's currently committed to libexpat. It's very similar to the source code I posted earlier, but directly from a well-known, battle-tested project. |
If it's not, then
For new vectors from the retry code, the scenario would be that an attacker can make the first call to
It's better than what we had in the code, before.
|
I believe we should request a CVE for this issue using the form on https://cveform.mitre.org/ . @vszakats could you review my suggestion on form input below before I submit? If you'd rather submit yourself or already have, please let me know, so we can save save duplicate work.
|
@hartwork Thank you submitting this, it looks good to me. |
Thanks for the review. Request submitted now. |
MITRE assigned CVE-2017-11742 to this vulnerability now. |
Starting with 2.2.1, libexpat added a
LoadLibrary()
call to load theADVAPI32.DLL
Windows system DLL to improve random numbers. This call however is prone to a known DLL hijacking vulnerability, with no (trivial) way to opt-out from this by apps making use of libexpat. The attack works by building a tailor-madeADVAPI32.DLL
that exports the function required and called by libexpat, and copying that DLL to the directory of the user application or to the current directory.My (already proposed in #62) patch is this:
It will resolve the problem for Windows Vista and newer versions, thus covering all officially supported versions of Windows. For older versions the generally recommended method is to detect
SYSTEM32
directory and prepend that to the loaded DLL name.The text was updated successfully, but these errors were encountered: