[tor-bugs] #1954 [Tor Client]: LoadLibrary used without restrictions for search path
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Sep 21 00:41:23 UTC 2010
#1954: LoadLibrary used without restrictions for search path
------------------------+---------------------------------------------------
Reporter: Sebastian | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Client | Version:
Keywords: | Parent:
------------------------+---------------------------------------------------
Comment(by mikeperry):
Yes, this is bad, but the reality is this is Windows. There are tons of
ways an attacker can inject code into processes easily, especially if they
have write access to either the CWD or the directory of the exe. The
windows exe loader is actually specifically written to make this easy. It
automatically loads any DLLs in the CWD and/or the exe's dir that match
the imports list of that exe. It also loads any DLLs listed in the
AppInitDlls registry key. Any user with the DEBUG privilege can also
inject DLLs into any other processes running as that user (I believe this
is most/all users). Any app with write privs to the exe's directory can
also edit its import table on disk to add new dlls.
Most of this was done to make binary compatibility easier. But it is also
one of the things that makes windows a nightmare wrt spyware and malware.
Windows *may* have also recently created a way to build executables that
want to disable some of these injection vectors, but I'm also not sure on
that. And I bet some vectors (such as the DEBUG one) will still remain
open.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1954#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list