[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #1954 [Tor Client]: LoadLibrary used without restrictions for search path
#1954: LoadLibrary used without restrictions for search path
------------------------+---------------------------------------------------
Reporter: Sebastian | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Client | Version:
Keywords: | Parent:
------------------------+---------------------------------------------------
Comment(by mikeperry):
Yes, this is bad, but the reality is this is Windows. There are tons of
ways an attacker can inject code into processes easily, especially if they
have write access to either the CWD or the directory of the exe. The
windows exe loader is actually specifically written to make this easy. It
automatically loads any DLLs in the CWD and/or the exe's dir that match
the imports list of that exe. It also loads any DLLs listed in the
AppInitDlls registry key. Any user with the DEBUG privilege can also
inject DLLs into any other processes running as that user (I believe this
is most/all users). Any app with write privs to the exe's directory can
also edit its import table on disk to add new dlls.
Most of this was done to make binary compatibility easier. But it is also
one of the things that makes windows a nightmare wrt spyware and malware.
Windows *may* have also recently created a way to build executables that
want to disable some of these injection vectors, but I'm also not sure on
that. And I bet some vectors (such as the DEBUG one) will still remain
open.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1954#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs