Skip to content
A Windows utility to check for potential insecure paths used by the OPENSSLDIR build parameter in OpenSSL libraries
C++ PowerShell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Build status

A Windows utility written in C++ to check for potential insecure paths used by the OPENSSLDIR build parameter in OpenSSL libraries. Applications that bundle OpenSSL libraries may have OPENSSLDIR set to a path that could be writable from a low privileged user account. Depending on how the application is written, it may automatically load OPENSSLDIR/openssl.cnf during startup or other specific conditions.

The openssl.cnf configuration file can be leveraged to load a malicious OpenSSL Engine library resulting in the execution of arbitrary code with the authority of the account running the vulnerable application. For a detailed example of how I obtained SYSTEM with the Private Internet Access Desktop VPN client, read Information on how this works is described at

Additional functionality will be added as time permits. Here is functionality I may implement.

  • Check permissions on all folders listed in the OPENSSLDIR path
  • Check permissions of OPENSSLDIR/openssl.cnf
  • Check permissions of OPENSSL_ENGINES_DIR for OpenSSL 1.1+
  • Create option to search the file system for OpenSSL libraries
  • Logging
  • XMl/json output


The binaries can be downloaded directly from the CI build server. Click on the desired platform and then select Artifacts.


Note: Do not use this on untrusted paths. The utility attempts to load the library and call the OpenSSL function to determine the version and OPENSSLDIR path.

# OpenSSL v1.1+
openssldir_check <path/to/libcrypto-<version>.dll>

# OpenSSL < v1.1
openssldir_check <path/to/libeay32.dll>



You can’t perform that action at this time.