From ce9ef4702cddf9a2398f6fbb7702988b662b5565 Mon Sep 17 00:00:00 2001 From: Bob Arnson Date: Wed, 24 Jan 2024 17:38:55 -0500 Subject: Mitigate .local DLL redirection Windows bug. --- src/burn/stub/precomp.h | 1 + src/burn/stub/stub.cpp | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/burn/stub/precomp.h b/src/burn/stub/precomp.h index bb7ded9c..46239a6c 100644 --- a/src/burn/stub/precomp.h +++ b/src/burn/stub/precomp.h @@ -9,6 +9,7 @@ #include #include +#include #include #include #include diff --git a/src/burn/stub/stub.cpp b/src/burn/stub/stub.cpp index 339a54da..9c9dfeef 100644 --- a/src/burn/stub/stub.cpp +++ b/src/burn/stub/stub.cpp @@ -2,6 +2,10 @@ #include "precomp.h" +static const HRESULT E_SUSPECTED_TAMPERING = MAKE_HRESULT(SEVERITY_ERROR, 500/*FACILITY_WIX*/, 2001); + +static void AvoidLocalDllRedirection(LPCWSTR wzPath); + int WINAPI wWinMain( __in HINSTANCE hInstance, @@ -52,6 +56,8 @@ int WINAPI wWinMain( AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls)); } + AvoidLocalDllRedirection(sczPath); + // call run hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode); ExitOnFailure(hr, "Failed to run application."); @@ -63,3 +69,23 @@ LExit: return FAILED(hr) ? (int)hr : (int)dwExitCode; } + +static void AvoidLocalDllRedirection(LPCWSTR wzPath) +{ + LPWSTR sczLocalPath = NULL; + HMODULE hmodComCtl = NULL; + + // Bail if there's a .exe.local directory, as it's a feature of + // DLL redirection that has no real use for a bundle and is a hole for + // DLL hijacking attacks. + + if (FAILED(StrAllocFormatted(&sczLocalPath, L"%ls.local", wzPath)) + || DirExists(sczLocalPath, NULL) + || FileExistsEx(sczLocalPath, NULL) + || FAILED(LoadSystemLibrary(L"Comctl32.dll", &hmodComCtl))) + { + ::ExitProcess((UINT)E_SUSPECTED_TAMPERING); + } + + ReleaseStr(sczLocalPath); +} -- cgit v1.2.3-55-g6feb