Re: [Openvpn-devel] openvpn and dll hijacking?
Hi, On Thursday 02 September 2010 02:26:40 Jason Haar wrote: > While we're on the topic of Windows compiles, has there being an audit > of DLL-dependencies in openvpn? OpenVPN-GUI is not affected. I just checked with the instruction from http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx. It dynamically loads two libraries with the WIN32 API LoadLibrary function during startup, shell32.dll and riched20.dll. shell32.dll is listed below the HKLM/System/CurrentControlSet/Control/Session Manager/KnownDLLs registry key and therefore save. riched20.dll is part of any sane Windows installation and located in the system32 folder. However, both are loaded without specifying the complete path. I'll fix that soon, just for the sake of best practise. If you use Dependency Walker on the binary with an up to date Windows XP, you'll see that two .dlls can not be found, ieshims.dll and wer.dll. Both are a 5th level dependency coming from shell32.dll. Procmon didn't show any unsuccessful attempts to load them, though. They are part of Windows starting from Vista. Regards Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200 Astaro GmbH & Co. KG | An der RaumFabrik 33a | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe Represented by the General Partner Astaro Verwaltungs GmbH An der RaumFabrik 33a | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
Re: [Openvpn-devel] openvpn and dll hijacking?
>> > Having apps that can't be tricked into downloading random DLLs from >> > strange websites would certainly be a good thing ;-) >> Upgrade to a sane system, like GNU/Linux and all your apps will be fixed >> in one fell swoop, > "if they were built with a sane rpath". AFAIK, that's usually the case under most GNU/Linux distributions. > Which is the whole point of the advisory: if you build applications wrongly, > they will become vulnerable. Yes, but those risks with rpath and friends have been known for a very long time under unixy systems and have been taken fairly seriously, so it's rather rare to find a vulnerable package in my experience (e.g. I have never seen current-directory in the rpath). Stefan
Re: [Openvpn-devel] openvpn and dll hijacking?
Hi, On Thu, Sep 02, 2010 at 09:44:03AM +0200, Stefan Monnier wrote: > > Having apps that can't be tricked into downloading random DLLs from > > strange websites would certainly be a good thing ;-) > > Upgrade to a sane system, like GNU/Linux and all your apps will be fixed > in one fell swoop, "if they were built with a sane rpath". Which is the whole point of the advisory: if you build applications wrongly, they will become vulnerable. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpBvAPAVLDsU.pgp Description: PGP signature
Re: [Openvpn-devel] openvpn and dll hijacking?
> Having apps that can't be tricked into downloading random DLLs from > strange websites would certainly be a good thing ;-) Upgrade to a sane system, like GNU/Linux and all your apps will be fixed in one fell swoop, Stefan
[Openvpn-devel] openvpn and dll hijacking?
While we're on the topic of Windows compiles, has there being an audit of DLL-dependencies in openvpn? I'm thinking about the nightmare that is DLL Hijacking (http://isc.sans.edu/diary.html?storyid=9445) Having apps that can't be tricked into downloading random DLLs from strange websites would certainly be a good thing ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1