From 744a7426ddf2ea57262a6a5b919ade0b8e493380 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Mon, 9 May 2011 11:34:40 +0000 Subject: [PATCH] 2011-05-09 13:32 UTC+0200 Viktor Szakats (harbour.01 syenar.hu) * contrib/hbwin/hbwapi.h * contrib/hbwin/wapi_misc.c * hbwapi_FileNameAtSystemDir() made static + hbwapi_LoadLibrarySystem() public function added this is safe version of LoadLibrary() when loading Windows system dlls. it will avoid dll hijacking vulnerability. ! deleted HB_EXPORT from hbwapi_t*() functions, they are public to this lib due to UNICODE setting dependance ; TODO: make hbwapi_LoadLibrarySystem() effective also for WinCE, for now it will not add any system path under this platform. * contrib/hbwin/axcore.c * contrib/hbwin/mapi.c * contrib/hbwin/win_prn2.c * contrib/hbwin/win_prn3.c * contrib/hbwin/wapi_shellapi.c ! LoadLibrary() -> hbwapi_LoadLibrarySystem() thus fixing dll hijack vulnerability --- harbour/ChangeLog | 20 ++++++++++++++++++++ harbour/contrib/hbwin/axcore.c | 3 ++- harbour/contrib/hbwin/hbwapi.h | 10 ++++++---- harbour/contrib/hbwin/mapi.c | 4 ++-- harbour/contrib/hbwin/wapi_misc.c | 13 ++++++++++++- harbour/contrib/hbwin/wapi_shellapi.c | 2 +- harbour/contrib/hbwin/win_prn2.c | 2 +- harbour/contrib/hbwin/win_prn3.c | 2 +- 8 files changed, 45 insertions(+), 11 deletions(-) diff --git a/harbour/ChangeLog b/harbour/ChangeLog index 63d7b3f0bf..fe5578096b 100644 --- a/harbour/ChangeLog +++ b/harbour/ChangeLog @@ -16,6 +16,26 @@ The license applies to all entries newer than 2009-04-28. */ +2011-05-09 13:32 UTC+0200 Viktor Szakats (harbour.01 syenar.hu) + * contrib/hbwin/hbwapi.h + * contrib/hbwin/wapi_misc.c + * hbwapi_FileNameAtSystemDir() made static + + hbwapi_LoadLibrarySystem() public function added + this is safe version of LoadLibrary() when loading Windows + system dlls. it will avoid dll hijacking vulnerability. + ! deleted HB_EXPORT from hbwapi_t*() functions, they are + public to this lib due to UNICODE setting dependance + ; TODO: make hbwapi_LoadLibrarySystem() effective also for WinCE, + for now it will not add any system path under this platform. + + * contrib/hbwin/axcore.c + * contrib/hbwin/mapi.c + * contrib/hbwin/win_prn2.c + * contrib/hbwin/win_prn3.c + * contrib/hbwin/wapi_shellapi.c + ! LoadLibrary() -> hbwapi_LoadLibrarySystem() + thus fixing dll hijack vulnerability + 2011-05-09 13:13 UTC+0200 Viktor Szakats (harbour.01 syenar.hu) + contrib/hbwin/wapi_misc.c * contrib/hbwin/hbwin.hbp diff --git a/harbour/contrib/hbwin/axcore.c b/harbour/contrib/hbwin/axcore.c index 1ea8d3c3ba..0b4f23ef9e 100644 --- a/harbour/contrib/hbwin/axcore.c +++ b/harbour/contrib/hbwin/axcore.c @@ -50,6 +50,7 @@ * */ +#include "hbwapi.h" #include "hbwinole.h" #include @@ -105,7 +106,7 @@ HB_BOOL hb_oleAxInit( void ) { PHB_AX_WININIT pAtlAxWinInit; - s_hLib = LoadLibrary( TEXT( "atl.dll" ) ); + s_hLib = hbwapi_LoadLibrarySystem( TEXT( "atl.dll" ) ); if( ( unsigned long ) ( HB_PTRDIFF ) s_hLib <= 32 ) { s_hLib = NULL; diff --git a/harbour/contrib/hbwin/hbwapi.h b/harbour/contrib/hbwin/hbwapi.h index 0706f2eddd..727b659613 100644 --- a/harbour/contrib/hbwin/hbwapi.h +++ b/harbour/contrib/hbwin/hbwapi.h @@ -126,10 +126,12 @@ HB_EXTERN_BEGIN -extern HB_EXPORT TCHAR * hbwapi_tstrdup( const TCHAR * pszText ); -extern HB_EXPORT TCHAR * hbwapi_tstrncat( TCHAR * pDest, const TCHAR * pSource, HB_SIZE nLen ); -extern HB_EXPORT HB_SIZE hbwapi_tstrlen( const TCHAR * pText ); -extern HB_EXPORT TCHAR * hbwapi_FileNameAtSystemDir( const TCHAR * pFileName ); +/* Intentionally not used HB_EXPORT. These are UNICODE setting dependent functions, + meant to use only by the library itself. [vszakats] */ +extern TCHAR * hbwapi_tstrdup( const TCHAR * pszText ); +extern TCHAR * hbwapi_tstrncat( TCHAR * pDest, const TCHAR * pSource, HB_SIZE nLen ); +extern HB_SIZE hbwapi_tstrlen( const TCHAR * pText ); +extern HMODULE hbwapi_LoadLibrarySystem( LPCTSTR pFileName ); extern HB_EXPORT void hbwapi_SetLastError( DWORD dwLastError ); extern HB_EXPORT DWORD hbwapi_GetLastError( void ); diff --git a/harbour/contrib/hbwin/mapi.c b/harbour/contrib/hbwin/mapi.c index 0951cc5f36..df8eb5119b 100644 --- a/harbour/contrib/hbwin/mapi.c +++ b/harbour/contrib/hbwin/mapi.c @@ -59,7 +59,7 @@ # endif #endif -#include "hbwin.h" +#include "hbwapi.h" #if defined( HB_OS_WIN_CE ) # include "hbwince.h" #endif @@ -85,7 +85,7 @@ HB_FUNC( WIN_MAPISENDMAIL ) /* Set default return value */ hb_retnl( -1 ); - if( ( hMapiDll = LoadLibrary( TEXT( "mapi32.dll" ) ) ) >= ( HINSTANCE ) 32 ) + if( ( hMapiDll = hbwapi_LoadLibrarySystem( TEXT( "mapi32.dll" ) ) ) >= ( HINSTANCE ) 32 ) { LPMAPISENDMAIL MAPISendMail = ( LPMAPISENDMAIL ) GetProcAddress( hMapiDll, "MAPISendMail" ); diff --git a/harbour/contrib/hbwin/wapi_misc.c b/harbour/contrib/hbwin/wapi_misc.c index 4c281aa669..afafe0759a 100644 --- a/harbour/contrib/hbwin/wapi_misc.c +++ b/harbour/contrib/hbwin/wapi_misc.c @@ -101,7 +101,7 @@ HB_SIZE hbwapi_tstrlen( const TCHAR * pText ) return nLen; } -TCHAR * hbwapi_FileNameAtSystemDir( const TCHAR * pFileName ) +static TCHAR * hbwapi_FileNameAtSystemDir( const TCHAR * pFileName ) { #if defined( HB_OS_WIN_CE ) return hbwapi_tstrdup( pFileName ); @@ -131,3 +131,14 @@ TCHAR * hbwapi_FileNameAtSystemDir( const TCHAR * pFileName ) return hbwapi_tstrdup( pFileName ); #endif } + +HMODULE hbwapi_LoadLibrarySystem( LPCTSTR pFileName ) +{ + TCHAR * pLibPath = hbwapi_FileNameAtSystemDir( pFileName ); + + HMODULE h = LoadLibrary( pLibPath ); + + hb_xfree( pLibPath ); + + return h; +} diff --git a/harbour/contrib/hbwin/wapi_shellapi.c b/harbour/contrib/hbwin/wapi_shellapi.c index 6147e0f63d..080696f56f 100644 --- a/harbour/contrib/hbwin/wapi_shellapi.c +++ b/harbour/contrib/hbwin/wapi_shellapi.c @@ -85,7 +85,7 @@ HB_FUNC( WAPI_ISUSERANADMIN ) { BOOL bResult = FALSE; - HMODULE hLib = LoadLibrary( TEXT( "shell32.dll" ) ); + HMODULE hLib = hbwapi_LoadLibrarySystem( TEXT( "shell32.dll" ) ); if( hLib ) { diff --git a/harbour/contrib/hbwin/win_prn2.c b/harbour/contrib/hbwin/win_prn2.c index 7455d59c61..fdd8a06fb9 100644 --- a/harbour/contrib/hbwin/win_prn2.c +++ b/harbour/contrib/hbwin/win_prn2.c @@ -132,7 +132,7 @@ static void hb_GetDefaultPrinter( PHB_ITEM pPrinterName ) { typedef BOOL( WINAPI * DEFPRINTER ) ( LPTSTR, LPDWORD ); DEFPRINTER fnGetDefaultPrinter; - HMODULE hWinSpool = LoadLibrary( TEXT( "winspool.drv" ) ); + HMODULE hWinSpool = hbwapi_LoadLibrarySystem( TEXT( "winspool.drv" ) ); if( hWinSpool ) { diff --git a/harbour/contrib/hbwin/win_prn3.c b/harbour/contrib/hbwin/win_prn3.c index f3448b9fb1..52f8b37722 100644 --- a/harbour/contrib/hbwin/win_prn3.c +++ b/harbour/contrib/hbwin/win_prn3.c @@ -125,7 +125,7 @@ static HB_BOOL hb_SetDefaultPrinter( LPCTSTR lpPrinterName ) typedef BOOL ( WINAPI * DEFPRINTER )( LPCTSTR ); /* stops warnings */ DEFPRINTER fnSetDefaultPrinter; - hWinSpool = LoadLibrary( TEXT( "winspool.drv" ) ); + hWinSpool = hbwapi_LoadLibrarySystem( TEXT( "winspool.drv" ) ); if( ! hWinSpool ) return HB_FALSE; fnSetDefaultPrinter = ( DEFPRINTER ) GetProcAddress( hWinSpool,