Re: [AD] al_set_win_dll_path

[ Thread Index | Date Index | More lists.liballeg.org/allegro-developers Archives ]


On 2011-07-30, Elias Pschernig <elias.pschernig@xxxxxxxxxx> wrote:
> On Thu, 2011-07-28 at 11:20 +1000, Peter Wang wrote:
> > 
> > The main problem is loading DLLs from the _current_ directory, so it
> > should be relatively safe to load from the PATH (excluding the current
> > directory).  I can't remember why I didn't implement that; possibly
> > because it requires more work.
> > 
> 
> How exactly does the attack work? For example right now we prevent
> libvorbis.dll from being loaded from the current path. However
> libvorbis.dll depends on libogg.dll which still is loaded from the
> current path. So couldn't the attack simply switch to libogg.dll and do
> the attack anyway?

Yes, I think you're right.  "Safe DLL search mode" is enabled by default
with XP SP2 and later, which mitigates the problem a little.  The
current directory is still searched, but only after the application and
system directories.  An attack would still be possible on an Allegro
program which uses acodec but doesn't bundle a DLL, e.g. libFLAC.dll.

LoadLibraryEx gives us more control over the search path, though none of
the relevant flags are supported by Windows XP.  I don't know if we have
to detect that and not use the flag then, or if LoadLibraryEx will
simply ignore flags it doesn't support.

Peter




Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/