mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-22 17:39:53 +03:00
Preventing the Win32 API LoadLibrary() current directory DLL injection issue.
When loading the DLL file by the LoadLibrary() function in Windows VPN programs, we changed the behavior not to search the current directory. Based on this improvement, even if there are untrusted DLL files in the calendar directory, it is now safe to avoid the problem of unexpected security problem caused by the default loading behavior of Windows. Acknowledgments: This is based on a report by Herman Groeneveld, aka Sh4d0wman.
This commit is contained in:
parent
b1f74268b1
commit
241813e827
@ -154,7 +154,19 @@ static UINT64 probe_start = 0;
|
||||
static UINT64 probe_last = 0;
|
||||
static bool probe_enabled = false;
|
||||
|
||||
// The function which should be called once as soon as possible after the process is started
|
||||
static bool init_proc_once_flag = false;
|
||||
void InitProcessCallOnce()
|
||||
{
|
||||
if (init_proc_once_flag == false)
|
||||
{
|
||||
init_proc_once_flag = true;
|
||||
|
||||
#ifdef OS_WIN32
|
||||
MsInitProcessCallOnce();
|
||||
#endif // OS_WIN32
|
||||
}
|
||||
}
|
||||
|
||||
// Calculate the checksum
|
||||
USHORT CalcChecksum16(void *buf, UINT size)
|
||||
@ -490,6 +502,8 @@ void InitMayaqua(bool memcheck, bool debug, int argc, char **argv)
|
||||
return;
|
||||
}
|
||||
|
||||
InitProcessCallOnce();
|
||||
|
||||
g_memcheck = memcheck;
|
||||
g_debug = debug;
|
||||
cmdline = NULL;
|
||||
|
@ -133,6 +133,8 @@
|
||||
|
||||
#endif // VPN_SPEED
|
||||
|
||||
void InitProcessCallOnce();
|
||||
|
||||
#ifdef VPN_EXE
|
||||
// To build the executable file
|
||||
#ifdef WIN32
|
||||
@ -142,6 +144,7 @@ int main(int argc, char *argv[]);
|
||||
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
|
||||
{
|
||||
char *argv[] = { CmdLine, };
|
||||
InitProcessCallOnce();
|
||||
return main(1, argv);
|
||||
}
|
||||
#endif // WIN32
|
||||
|
@ -273,6 +273,43 @@ typedef struct MS_MSCHAPV2_PARAMS
|
||||
UCHAR ResponseBuffer[MAX_SIZE];
|
||||
} MS_MSCHAPV2_PARAMS;
|
||||
|
||||
// The function which should be called once as soon as possible after the process is started
|
||||
void MsInitProcessCallOnce()
|
||||
{
|
||||
// Mitigate the DLL injection attack
|
||||
char system_dir[MAX_PATH];
|
||||
char kernel32_path[MAX_PATH];
|
||||
UINT len;
|
||||
HINSTANCE hKernel32;
|
||||
|
||||
// Get the full path of kernel32.dll
|
||||
memset(system_dir, 0, sizeof(system_dir));
|
||||
GetSystemDirectory(system_dir, sizeof(system_dir));
|
||||
len = lstrlenA(system_dir);
|
||||
if (system_dir[len] == '\\')
|
||||
{
|
||||
system_dir[len] = 0;
|
||||
}
|
||||
wsprintfA(kernel32_path, "%s\\kernel32.dll", system_dir);
|
||||
|
||||
// Load kernel32.dll
|
||||
hKernel32 = LoadLibraryA(kernel32_path);
|
||||
if (hKernel32 != NULL)
|
||||
{
|
||||
BOOL (WINAPI *_SetDllDirectoryA)(LPCTSTR);
|
||||
|
||||
_SetDllDirectoryA = (BOOL (WINAPI *)(LPCTSTR))
|
||||
GetProcAddress(hKernel32, "SetDllDirectoryA");
|
||||
|
||||
if (_SetDllDirectoryA != NULL)
|
||||
{
|
||||
_SetDllDirectoryA("");
|
||||
}
|
||||
|
||||
FreeLibrary(hKernel32);
|
||||
}
|
||||
}
|
||||
|
||||
// Collect the information of the VPN software
|
||||
bool MsCollectVpnInfo(BUF *bat, char *tmpdir, char *svc_name, wchar_t *config_name, wchar_t *logdir_name)
|
||||
{
|
||||
|
@ -1160,6 +1160,7 @@ void MsTest();
|
||||
|
||||
bool MsSaveSystemInfo(wchar_t *dst_filename);
|
||||
bool MsCollectVpnInfo(BUF *bat, char *tmpdir, char *svc_name, wchar_t *config_name, wchar_t *logdir_name);
|
||||
void MsInitProcessCallOnce();
|
||||
|
||||
MS_SUSPEND_HANDLER *MsNewSuspendHandler();
|
||||
void MsFreeSuspendHandler(MS_SUSPEND_HANDLER *h);
|
||||
|
@ -155,6 +155,8 @@ void StopProcess()
|
||||
// WinMain function
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
InitProcessCallOnce();
|
||||
|
||||
VgUseStaticLink();
|
||||
|
||||
#ifdef OS_WIN32
|
||||
|
@ -143,6 +143,8 @@ void StopProcess()
|
||||
// WinMain function
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
InitProcessCallOnce();
|
||||
|
||||
#ifdef OS_WIN32
|
||||
|
||||
return MsService(GC_SVC_NAME_VPNCLIENT, StartProcess, StopProcess, ICO_MACHINE, argv[0]);
|
||||
|
@ -137,6 +137,8 @@ int main(int argc, char *argv[])
|
||||
wchar_t *s;
|
||||
UINT ret = 0;
|
||||
|
||||
InitProcessCallOnce();
|
||||
|
||||
#ifdef OS_WIN32
|
||||
SetConsoleTitleA(CEDAR_PRODUCT_STR " VPN Command Line Utility");
|
||||
#endif // OS_WIN32
|
||||
|
@ -134,6 +134,8 @@
|
||||
// WinMain function
|
||||
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
|
||||
{
|
||||
InitProcessCallOnce();
|
||||
|
||||
InitMayaqua(false, false, 0, NULL);
|
||||
InitCedar();
|
||||
|
||||
|
@ -353,6 +353,8 @@ void MainFunction(char *cmd)
|
||||
// winmain function
|
||||
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
|
||||
{
|
||||
InitProcessCallOnce();
|
||||
|
||||
InitMayaqua(false, false, 0, NULL);
|
||||
EnableProbe(false);
|
||||
InitCedar();
|
||||
|
@ -1634,6 +1634,7 @@ void ViFreeStringTables()
|
||||
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
|
||||
{
|
||||
INSTANCE *instance;
|
||||
InitProcessCallOnce();
|
||||
is_debug = false;
|
||||
MayaquaMinimalMode();
|
||||
InitMayaqua(false, is_debug, 0, NULL);
|
||||
|
@ -155,6 +155,8 @@ void StopProcess()
|
||||
// WinMain function
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
InitProcessCallOnce();
|
||||
|
||||
VgUseStaticLink();
|
||||
|
||||
#ifdef OS_WIN32
|
||||
|
@ -134,6 +134,8 @@ int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
|
||||
{
|
||||
UINT ret;
|
||||
|
||||
InitProcessCallOnce();
|
||||
|
||||
VgUseStaticLink();
|
||||
|
||||
ret = SWExec();
|
||||
|
@ -132,6 +132,8 @@
|
||||
// WinMain function
|
||||
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
|
||||
{
|
||||
InitProcessCallOnce();
|
||||
|
||||
InitMayaqua(false, false, 0, NULL);
|
||||
InitCedar();
|
||||
SMExec();
|
||||
|
Loading…
Reference in New Issue
Block a user