DLL hijacking problem

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Aug 27 16:44:00 GMT 2010


On Aug 27 09:38, Christopher Faylor wrote:
> On Fri, Aug 27, 2010 at 03:16:14PM +0200, Corinna Vinschen wrote:
> >Hi,
> >
> >This DLL hijacking problem goes from simmering to boiling pretty fast
> >right now:
> >http://www.microsoft.com/technet/security/advisory/2269637.mspx
> >The exploit DB fills rapidly in the last couple of days:
> >http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=DLL+Hijacking&filter_author=&filter_platform=0&filter_type=0&filter_port=&filter_osvdb=&filter_cve=
> >
> >Given
> >http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx
> >
> >I propose to change all calls to
> >
> >  LoadLibrary ("any-Win32-system.dll")
> >
> >to (basically) 
> >
> >  GetSystemDirectory (path);
> >  strcat (path, "\\any-Win32-system.dll");
> >  LoadLibrary (path);
> >
> >Or does anybody think this is overreacting?
> 
> No, I was thinking the same thing after seeing the discussion of the
> problem in Slashdot.

Ok, I'll do that.  For the autoload stuff, do you have any problem if I
convert the DLL names to WCHAR?  The idea is to move the
windows_system_directory variable from a static var in exceptions.cc to
a global variable in globals.cc, and to move the GetSystemDirectoryW
call in exceptions.cc:events_init pretty much to the start of
dll_crt0_0, so we can be sure it's available for any autoloaded stuff,
however early it occurs.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat



More information about the Cygwin-developers mailing list