On 30.08.2010 18:43, Nikhil Mittal wrote:
> Hi There,
>
> TortoiseSVN 1.6.10, Build 19898 ( latest available on tigris.org) is
> vulnerable to Windows DLL Hijacking vulnerability.
> http://www.microsoft.com/technet/security/advisory/2269637.mspx
>
> I am able to gain a command shell with current user privileges using
> metasploit. This is to notify you please. Request your consent to make
> it public.
Now before people start panicking, here's a little information:
* yes, TortoiseProc and TortoiseMerge are vulnerable.
* no, it's not urgent. Because neither of those apps is assigned
to a specific file type. So double-clicking on a file to open it
with either of those apps is not possible unless you specifically
assign a file type to open with TortoiseProc or TortoiseMerge.
But since opening any file type with either of those apps
is pretty useless because it doesn't do anything, the attack vector
requires user interaction beforehand.
* no, we can't fix it. Here's why:
We already load *all* our dlls with full paths, wherever we use
the LoadLibrary() or LoadLibraryEx() APIs. But: the MFC library
does not! When MFC gets initialized (and that's initialized before
any code of ours is executed, so calling SetDllDirectory(L"") doesn't
help) it tries to load the dwmapi.dll - and on XP and Win2k that
dll doesn't exist. Which then leads to the problem.
Basically, all applications that use the MFC are affected. So I'm
sure that MS will soon provide an update.
Only Win2k and XP are affected. If you're using Vista or Win7,
your safe (with TSVN at least).
* We also use LoadLibrary("dwmapi.dll") in the nightly builds from
trunk, but there we already call SetDllDirectory(L"") when we
start the app. But that still leaves the same problem with MFC doing
it the wrong way.
To sum up: you're safe if you haven't assigned a file type to open with
TortoiseProc or TortoiseMerge.
Stefan
P.S.: if someone's interested: the problem part in MFC is in the file
afxglobals.cpp (and if I'm not mistaken, some other places too). The line
m_hinstDwmapiDLL = ::AfxCtxLoadLibrary(_T("dwmapi.dll"));
tries to load the dwmapi.dll which doesn't exist on XP.
That's true for the MFC9 (comes with VS2008) and MFC10 (VS2010).
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2653202
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2010-08-30 22:58:45 CEST