1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-23 01:49:53 +03:00

Preventing the Win32 API LoadLibrary() current directory DLL injection issue.

When loading the DLL file by the LoadLibrary() function in Windows VPN programs, we changed the behavior not to search the current directory. Based on this improvement, even if there are untrusted DLL files in the calendar directory, it is now safe to avoid the problem of unexpected security problem caused by the default loading behavior of Windows. Acknowledgments: This is based on a report by Herman Groeneveld, aka Sh4d0wman.
This commit is contained in:
Daiyuu Nobori 2018-04-22 18:21:19 +09:00
parent b1f74268b1
commit 241813e827
13 changed files with 72 additions and 0 deletions

View File

@ -154,7 +154,19 @@ static UINT64 probe_start = 0;
static UINT64 probe_last = 0; static UINT64 probe_last = 0;
static bool probe_enabled = false; static bool probe_enabled = false;
// The function which should be called once as soon as possible after the process is started
static bool init_proc_once_flag = false;
void InitProcessCallOnce()
{
if (init_proc_once_flag == false)
{
init_proc_once_flag = true;
#ifdef OS_WIN32
MsInitProcessCallOnce();
#endif // OS_WIN32
}
}
// Calculate the checksum // Calculate the checksum
USHORT CalcChecksum16(void *buf, UINT size) USHORT CalcChecksum16(void *buf, UINT size)
@ -490,6 +502,8 @@ void InitMayaqua(bool memcheck, bool debug, int argc, char **argv)
return; return;
} }
InitProcessCallOnce();
g_memcheck = memcheck; g_memcheck = memcheck;
g_debug = debug; g_debug = debug;
cmdline = NULL; cmdline = NULL;

View File

@ -133,6 +133,8 @@
#endif // VPN_SPEED #endif // VPN_SPEED
void InitProcessCallOnce();
#ifdef VPN_EXE #ifdef VPN_EXE
// To build the executable file // To build the executable file
#ifdef WIN32 #ifdef WIN32
@ -142,6 +144,7 @@ int main(int argc, char *argv[]);
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow) int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
{ {
char *argv[] = { CmdLine, }; char *argv[] = { CmdLine, };
InitProcessCallOnce();
return main(1, argv); return main(1, argv);
} }
#endif // WIN32 #endif // WIN32

View File

@ -273,6 +273,43 @@ typedef struct MS_MSCHAPV2_PARAMS
UCHAR ResponseBuffer[MAX_SIZE]; UCHAR ResponseBuffer[MAX_SIZE];
} MS_MSCHAPV2_PARAMS; } MS_MSCHAPV2_PARAMS;
// The function which should be called once as soon as possible after the process is started
void MsInitProcessCallOnce()
{
// Mitigate the DLL injection attack
char system_dir[MAX_PATH];
char kernel32_path[MAX_PATH];
UINT len;
HINSTANCE hKernel32;
// Get the full path of kernel32.dll
memset(system_dir, 0, sizeof(system_dir));
GetSystemDirectory(system_dir, sizeof(system_dir));
len = lstrlenA(system_dir);
if (system_dir[len] == '\\')
{
system_dir[len] = 0;
}
wsprintfA(kernel32_path, "%s\\kernel32.dll", system_dir);
// Load kernel32.dll
hKernel32 = LoadLibraryA(kernel32_path);
if (hKernel32 != NULL)
{
BOOL (WINAPI *_SetDllDirectoryA)(LPCTSTR);
_SetDllDirectoryA = (BOOL (WINAPI *)(LPCTSTR))
GetProcAddress(hKernel32, "SetDllDirectoryA");
if (_SetDllDirectoryA != NULL)
{
_SetDllDirectoryA("");
}
FreeLibrary(hKernel32);
}
}
// Collect the information of the VPN software // Collect the information of the VPN software
bool MsCollectVpnInfo(BUF *bat, char *tmpdir, char *svc_name, wchar_t *config_name, wchar_t *logdir_name) bool MsCollectVpnInfo(BUF *bat, char *tmpdir, char *svc_name, wchar_t *config_name, wchar_t *logdir_name)
{ {

View File

@ -1160,6 +1160,7 @@ void MsTest();
bool MsSaveSystemInfo(wchar_t *dst_filename); bool MsSaveSystemInfo(wchar_t *dst_filename);
bool MsCollectVpnInfo(BUF *bat, char *tmpdir, char *svc_name, wchar_t *config_name, wchar_t *logdir_name); bool MsCollectVpnInfo(BUF *bat, char *tmpdir, char *svc_name, wchar_t *config_name, wchar_t *logdir_name);
void MsInitProcessCallOnce();
MS_SUSPEND_HANDLER *MsNewSuspendHandler(); MS_SUSPEND_HANDLER *MsNewSuspendHandler();
void MsFreeSuspendHandler(MS_SUSPEND_HANDLER *h); void MsFreeSuspendHandler(MS_SUSPEND_HANDLER *h);

View File

@ -155,6 +155,8 @@ void StopProcess()
// WinMain function // WinMain function
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
InitProcessCallOnce();
VgUseStaticLink(); VgUseStaticLink();
#ifdef OS_WIN32 #ifdef OS_WIN32

View File

@ -143,6 +143,8 @@ void StopProcess()
// WinMain function // WinMain function
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
InitProcessCallOnce();
#ifdef OS_WIN32 #ifdef OS_WIN32
return MsService(GC_SVC_NAME_VPNCLIENT, StartProcess, StopProcess, ICO_MACHINE, argv[0]); return MsService(GC_SVC_NAME_VPNCLIENT, StartProcess, StopProcess, ICO_MACHINE, argv[0]);

View File

@ -137,6 +137,8 @@ int main(int argc, char *argv[])
wchar_t *s; wchar_t *s;
UINT ret = 0; UINT ret = 0;
InitProcessCallOnce();
#ifdef OS_WIN32 #ifdef OS_WIN32
SetConsoleTitleA(CEDAR_PRODUCT_STR " VPN Command Line Utility"); SetConsoleTitleA(CEDAR_PRODUCT_STR " VPN Command Line Utility");
#endif // OS_WIN32 #endif // OS_WIN32

View File

@ -134,6 +134,8 @@
// WinMain function // WinMain function
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow) int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
{ {
InitProcessCallOnce();
InitMayaqua(false, false, 0, NULL); InitMayaqua(false, false, 0, NULL);
InitCedar(); InitCedar();

View File

@ -353,6 +353,8 @@ void MainFunction(char *cmd)
// winmain function // winmain function
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow) int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
{ {
InitProcessCallOnce();
InitMayaqua(false, false, 0, NULL); InitMayaqua(false, false, 0, NULL);
EnableProbe(false); EnableProbe(false);
InitCedar(); InitCedar();

View File

@ -1634,6 +1634,7 @@ void ViFreeStringTables()
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow) int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
{ {
INSTANCE *instance; INSTANCE *instance;
InitProcessCallOnce();
is_debug = false; is_debug = false;
MayaquaMinimalMode(); MayaquaMinimalMode();
InitMayaqua(false, is_debug, 0, NULL); InitMayaqua(false, is_debug, 0, NULL);

View File

@ -155,6 +155,8 @@ void StopProcess()
// WinMain function // WinMain function
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
InitProcessCallOnce();
VgUseStaticLink(); VgUseStaticLink();
#ifdef OS_WIN32 #ifdef OS_WIN32

View File

@ -134,6 +134,8 @@ int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
{ {
UINT ret; UINT ret;
InitProcessCallOnce();
VgUseStaticLink(); VgUseStaticLink();
ret = SWExec(); ret = SWExec();

View File

@ -132,6 +132,8 @@
// WinMain function // WinMain function
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow) int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
{ {
InitProcessCallOnce();
InitMayaqua(false, false, 0, NULL); InitMayaqua(false, false, 0, NULL);
InitCedar(); InitCedar();
SMExec(); SMExec();