DLL hijacking problem

Lee ler762@gmail.com
Sat Aug 28 13:36:00 GMT 2010


On 8/28/10, Corinna Vinschen wrote:
> On Aug 28 08:35, Lee wrote:
>> On 8/27/10, Corinna Vinschen wrote:
>> > Hi,
>> >
>> > This DLL hijacking problem goes from simmering to boiling pretty fast
>> > right now:
>> > http://www.microsoft.com/technet/security/advisory/2269637.mspx
>> > The exploit DB fills rapidly in the last couple of days:
>> > http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=DLL+Hijacking&filter_author=&filter_platform=0&filter_type=0&filter_port=&filter_osvdb=&filter_cve=
>> >
>> > Given
>> > http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx
>> >
>> > I propose to change all calls to
>> >
>> >   LoadLibrary ("any-Win32-system.dll")
>> >
>> > to (basically)
>> >
>> >   GetSystemDirectory (path);
>> >   strcat (path, "\\any-Win32-system.dll");
>> >   LoadLibrary (path);
>> >
>> > Or does anybody think this is overreacting?
>>
>> Would cygwin1.dll still be loaded from the directory from which the
>> application loaded or would I have to put a copy of cygwin1.dll into
>> whatever GetSystemDirectory resolves to?
>
> Copying cygwin1.dll to the system directory was never correct, contains
> to be so, and has nothing to do with the actual DLL hijacking problem.

Sorry - I thought an example of the DLL hijacking problem was if I had
extension "foo" registered to be [processed? loaded?] by foo.exe and I
doubleclicked on "datafile.foo" in windows explorer.

If foo.exe was built using cygwin, I have a c:\foo\foo.exe and
c:\foo\cygwin1.dll and I double-click on Z:\datafile.foo in windows
explorer ... my program still works after this patch is applied?

Thanks,
Lee



More information about the Cygwin-developers mailing list