[AD] [ alleg-Bugs-3109312 ] DLL hijacking

[ Thread Index | Date Index | More lists.liballeg.org/allegro-developers Archives ]


Bugs item #3109312, was opened at 2010-11-15 12:15
Message generated for change (Comment added) made by tjaden
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105665&aid=3109312&group_id=5665

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Windows
Group: 4.9
Status: Open
Resolution: None
Priority: 8
Private: No
Submitted By: Peter Wang (tjaden)
Assigned to: Nobody/Anonymous (nobody)
Summary: DLL hijacking

Initial Comment:
I believe Allegro is vulnerable to DLL hijacking due to calling LoadLibrary with unqualified file names. An attacker may ask the victim to open a file with an Allegro application that the victim has installed. Also in that directory is a malicious copy of a DLL that Allegro loads at runtime. This could over a network share, and the malicious DLL may be hidden.

The solution would be to ensure that we only load DLLs from "trusted" locations: the system directories, or the directory containing the application executable or Allegro main DLL (if possible).

References:
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://msdn.microsoft.com/en-us/library/ff919712(VS.85).aspx

----------------------------------------------------------------------

>Comment By: Peter Wang (tjaden)
Date: 2010-11-16 12:42

Message:
We load d3d9.dll, dinput8.dll, FLAC, DUMB and vorbisfile. It's possible to
disable loading of the latter three, but not the former. The first two are
probably likely to be found in the system directories, so I assume that
makes them less of a threat.


----------------------------------------------------------------------

Comment By: Elias Pschernig (elias)
Date: 2010-11-15 20:52

Message:
Which .dlls are affected? I assume this has to do with the audio decoders
only. And is there a way to compile the audio addon DLL (if that's the only
problematic one) in a way so it will not load additional dlls at runtime?

To properly fix this, we may want an additional API function for
specifying the location of runtime DLLs. As far as I can see currently the
only way to distribute an A5 app is to rely on such DLLs being found in the
current directory and issuing a chdir to that directory before al_init - so
removing the current dir from the search path would not be a solution.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105665&aid=3109312&group_id=5665




Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/