| Re: [AD] al_set_win_dll_path |
[ Thread Index |
Date Index
| More lists.liballeg.org/allegro-developers Archives
]
On 2011-07-30, Elias Pschernig <elias.pschernig@xxxxxxxxxx> wrote:
> On Thu, 2011-07-28 at 11:20 +1000, Peter Wang wrote:
> >
> > The main problem is loading DLLs from the _current_ directory, so it
> > should be relatively safe to load from the PATH (excluding the current
> > directory). I can't remember why I didn't implement that; possibly
> > because it requires more work.
> >
>
> How exactly does the attack work? For example right now we prevent
> libvorbis.dll from being loaded from the current path. However
> libvorbis.dll depends on libogg.dll which still is loaded from the
> current path. So couldn't the attack simply switch to libogg.dll and do
> the attack anyway?
Yes, I think you're right. "Safe DLL search mode" is enabled by default
with XP SP2 and later, which mitigates the problem a little. The
current directory is still searched, but only after the application and
system directories. An attack would still be possible on an Allegro
program which uses acodec but doesn't bundle a DLL, e.g. libFLAC.dll.
LoadLibraryEx gives us more control over the search path, though none of
the relevant flags are supported by Windows XP. I don't know if we have
to detect that and not use the flag then, or if LoadLibraryEx will
simply ignore flags it doesn't support.
Peter