[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #1954 [Tor Client]: LoadLibrary used without restrictions for search path



#1954: LoadLibrary used without restrictions for search path
------------------------+---------------------------------------------------
 Reporter:  Sebastian   |       Owner:                    
     Type:  defect      |      Status:  new               
 Priority:  major       |   Milestone:  Tor: 0.2.2.x-final
Component:  Tor Client  |     Version:                    
 Keywords:              |      Parent:                    
------------------------+---------------------------------------------------

Comment(by mikeperry):

 Yes, this is bad, but the reality is this is Windows. There are tons of
 ways an attacker can inject code into processes easily, especially if they
 have write access to either the CWD or the directory of the exe. The
 windows exe loader is actually specifically written to make this easy. It
 automatically loads any DLLs in the CWD and/or the exe's dir that match
 the imports list of that exe. It also loads any DLLs listed in the
 AppInitDlls registry key. Any user with the DEBUG privilege can also
 inject DLLs into any other processes running as that user (I believe this
 is most/all users). Any app with write privs to the exe's directory can
 also edit its import table on disk to add new dlls.

 Most of this was done to make binary compatibility easier. But it is also
 one of the things that makes windows a nightmare wrt spyware and malware.

 Windows *may* have also recently created a way to build executables that
 want to disable some of these injection vectors, but I'm also not sure on
 that. And I bet some vectors (such as the DEBUG one) will still remain
 open.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1954#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs