Old 14th March 2017, 11:28   #1
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
DLL hijacking vulnerability

I inspected DLL hijacking vulnerability for my app's installer.

Procedure:
1.Placed DLL files into the directory which the installer placed.
2.Execute installer

Then I found below DLL files loaded from directory which the installer placed.

IMJP10K.DLL
apphelp.dll
GIMEJa.ime (If Google Japanese IME use)

Environment:
NSIS version : 3.01
OS : Windows Vista Ultimate SP2 32bit
System language : Japanese

Is it NSIS problem or Windows?
masat is offline   Reply With Quote
Old 14th March 2017, 12:47   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,481
The problem is in Windows. There is also a bug in Vista that makes it hard for us to properly work around the issue.

We try to preload apphelp from system32, if the IME loads it first then there is nothing we can do. We only call SetErrorMode and GetVersion before we start preloading DLLs to try to help Windows not acting stupid.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 15th March 2017, 07:02   #3
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
Anders,

Thank you for reply.
I will ask MS about this problem.

I found GIMEJa.ime was loaded on Windows7 (64bit).
Is it also Windows problem?
masat is offline   Reply With Quote
Old 15th March 2017, 12:40   #4
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,481
Quote:
Originally Posted by masat View Post
Thank you for reply.
I will ask MS about this problem.
Support for Vista ends this April, MS is not going to do anything about this issue.
Quote:
Originally Posted by masat View Post

I found GIMEJa.ime was loaded on Windows7 (64bit).
Is it also Windows problem?
Yes. On Windows 7 and later we call SetDefaultDllDirectories if it is available to restrict loading to system32 only but it is possible that the IME does something before we start executing our code.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 22nd March 2017, 09:59   #5
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
I found version.dll was loaded on Windows7 (64bit) and Windows10 (64bit).

This DLL was solved by "Patch: 3_do_not_link_version_dll.patch" but is there any problem?
https://sourceforge.net/p/nsis/bugs/1125/
masat is offline   Reply With Quote
Old 22nd March 2017, 12:40   #6
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,481
Asking if there is a problem is not helpful without more information. Attaching a Process Monitor log might help.

SetDefaultDllDirectories is always called on Windows 10 and it is called on Windows 7 if it is available.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th March 2017, 10:30   #7
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
I have uploaded the Process Monitor log.
version.dll was loaded in highlighted row.

If you want to know other infomation, please let me know.
Attached Files
File Type: zip ProcessMonitorLog.zip (583.8 KB, 21 views)
masat is offline   Reply With Quote
Old 24th March 2017, 20:36   #8
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,481
I don't have Office. I actually wanted a Process Monitor .pml log file, sorry for not making that clear.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 30th March 2017, 14:49   #9
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
Anders,

Here is PML log files.
Attached Files
File Type: zip Windows7_Logfile.zip (895.5 KB, 17 views)
File Type: 7z Windows10_Logfile.PML.7z (1.29 MB, 14 views)
masat is offline   Reply With Quote
Old 30th March 2017, 17:36   #10
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,481
Thanks, these pml logs are interesting.

Trend Micro is hooking into the process, disable it (maybe just the UMH component/feature) and try again. You could also inspect those two Trend Micro .dlls with Dependency Walker (dependencywalker.com) and see if they import version.dll.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 3rd April 2017, 09:11   #11
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
Thank you for investigation.

I uninstalled trend micro virusbuster then version.dll was not loaded.
I also asked MS this problem. They said the problem is in trend micro and it resolved in the latest Win10(ver.1607). However, version.dll was loaded when virusbuster enabled in WIn10(ver.1607).

Anyway, it has become clear that the problem has not been in NSIS or myapp.
Thank you.
masat is offline   Reply With Quote
Old 4th April 2017, 03:37   #12
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,481
Did you ask on the Microsoft forum or a direct contact?

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 17th April 2017, 03:21   #13
masat
Junior Member
 
Join Date: Mar 2017
Posts: 7
I asked direct contact.
masat is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump