On 2011-07-30, Elias Pschernig<elias.pschernig@xxxxxxxxxx> wrote:
On Thu, 2011-07-28 at 11:20 +1000, Peter Wang wrote:
>
> The main problem is loading DLLs from the _current_ directory, so it
> should be relatively safe to load from the PATH (excluding the current
> directory). I can't remember why I didn't implement that; possibly
> because it requires more work.
>
How exactly does the attack work? For example right now we prevent
libvorbis.dll from being loaded from the current path. However
libvorbis.dll depends on libogg.dll which still is loaded from the
current path. So couldn't the attack simply switch to libogg.dll and do
the attack anyway?
Yes, I think you're right. "Safe DLL search mode" is enabled by default
with XP SP2 and later, which mitigates the problem a little. The
current directory is still searched, but only after the application and
system directories. An attack would still be possible on an Allegro
program which uses acodec but doesn't bundle a DLL, e.g. libFLAC.dll.
LoadLibraryEx gives us more control over the search path, though none of
the relevant flags are supported by Windows XP. I don't know if we have
to detect that and not use the flag then, or if LoadLibraryEx will
simply ignore flags it doesn't support.