[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL
Rémi Denis-Courmont
remi at remlab.net
Fri Mar 10 18:31:54 CET 2017
Le perjantaina 10. maaliskuuta 2017, 18.22.13 EET Jean-Baptiste Kempf a
écrit :
> On Fri, 10 Mar 2017, at 18:17, Rémi Denis-Courmont wrote:
> > You can't load kernel32.dll at run-time anyway, since it contains the
> > run-time
> > loader.
>
> Take any of those. Remove gdi or advapi or user32 or any other library
> that we link statically against.
> Show me how.
>
> > > If you can change advapi32, kernel32, user32, shell32, psapi or
> > > msvcrt.dll and change them to either not be KnownDLL or be modified,
> > > then your system security is fucked.
> >
> > Sure. And if an attacker can overwrite any (other) of the MSDN documented
> > DLLs, I am fucked too. Whether or not it´s a known DLL.
> >
> > Because plenty of executables will link them in the PE header.
>
> And your point is?
>
> winmm.dll and wininet.dll are not knowndll, so putting a dll named like
> that on a portable VLC, next to VLC.exe will load them, in the normal
> configuration, without being admin.
If somebody can put a DLL in the same directory as your application, you are
fucked. With or without this patch. Two orders of magnitude more so with VLC,
and its habit of automatically loading any plugin you throw at it.
Loading DLLs from CWD is (or was) a security vulnerability. Loading DLLs from
the app directory might be suboptimal for "safety", but is not a "security"
vulnerability under any sane threat model.
--
雷米‧德尼-库尔蒙
https://www.remlab.net/
More information about the vlc-devel
mailing list