From ce9ef4702cddf9a2398f6fbb7702988b662b5565 Mon Sep 17 00:00:00 2001
From: Bob Arnson <bob@firegiant.com>
Date: Wed, 24 Jan 2024 17:38:55 -0500
Subject: Mitigate .local DLL redirection Windows bug.
---
src/burn/stub/precomp.h | 1 +
src/burn/stub/stub.cpp | 26 ++++++++++++++++++++++++++
2 files changed, 27 insertions(+)
(limited to 'src')
diff --git a/src/burn/stub/precomp.h b/src/burn/stub/precomp.h
index bb7ded9c..46239a6c 100644
--- a/src/burn/stub/precomp.h
+++ b/src/burn/stub/precomp.h
@@ -9,6 +9,7 @@
#include <dutil.h>
#include <apputil.h>
+#include <dirutil.h>
#include <strutil.h>
#include <fileutil.h>
#include <pathutil.h>
diff --git a/src/burn/stub/stub.cpp b/src/burn/stub/stub.cpp
index 339a54da..9c9dfeef 100644
--- a/src/burn/stub/stub.cpp
+++ b/src/burn/stub/stub.cpp
@@ -2,6 +2,10 @@
#include "precomp.h"
+static const HRESULT E_SUSPECTED_TAMPERING = MAKE_HRESULT(SEVERITY_ERROR, 500/*FACILITY_WIX*/, 2001);
+
+static void AvoidLocalDllRedirection(LPCWSTR wzPath);
+
int WINAPI wWinMain(
__in HINSTANCE hInstance,
@@ -52,6 +56,8 @@ int WINAPI wWinMain(
AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls));
}
+ AvoidLocalDllRedirection(sczPath);
+
// call run
hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode);
ExitOnFailure(hr, "Failed to run application.");
@@ -63,3 +69,23 @@ LExit:
return FAILED(hr) ? (int)hr : (int)dwExitCode;
}
+
+static void AvoidLocalDllRedirection(LPCWSTR wzPath)
+{
+ LPWSTR sczLocalPath = NULL;
+ HMODULE hmodComCtl = NULL;
+
+ // Bail if there's a <bundle>.exe.local directory, as it's a feature of
+ // DLL redirection that has no real use for a bundle and is a hole for
+ // DLL hijacking attacks.
+
+ if (FAILED(StrAllocFormatted(&sczLocalPath, L"%ls.local", wzPath))
+ || DirExists(sczLocalPath, NULL)
+ || FileExistsEx(sczLocalPath, NULL)
+ || FAILED(LoadSystemLibrary(L"Comctl32.dll", &hmodComCtl)))
+ {
+ ::ExitProcess((UINT)E_SUSPECTED_TAMPERING);
+ }
+
+ ReleaseStr(sczLocalPath);
+}
--
cgit v1.2.3-55-g6feb