[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Tortoise SVN latest vulnerable to Windows DLL hijacking

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Mon, 30 Aug 2010 22:58:01 +0200

On 30.08.2010 18:43, Nikhil Mittal wrote:
> Hi There,
> TortoiseSVN 1.6.10, Build 19898 ( latest available on tigris.org) is
> vulnerable to Windows DLL Hijacking vulnerability.
> http://www.microsoft.com/technet/security/advisory/2269637.mspx
> I am able to gain a command shell with current user privileges using
> metasploit. This is to notify you please. Request your consent to make
> it public.

Now before people start panicking, here's a little information:
* yes, TortoiseProc and TortoiseMerge are vulnerable.
* no, it's not urgent. Because neither of those apps is assigned
   to a specific file type. So double-clicking on a file to open it
   with either of those apps is not possible unless you specifically
   assign a file type to open with TortoiseProc or TortoiseMerge.
   But since opening any file type with either of those apps
   is pretty useless because it doesn't do anything, the attack vector
   requires user interaction beforehand.
* no, we can't fix it. Here's why:
   We already load *all* our dlls with full paths, wherever we use
   the LoadLibrary() or LoadLibraryEx() APIs. But: the MFC library
   does not! When MFC gets initialized (and that's initialized before
   any code of ours is executed, so calling SetDllDirectory(L"") doesn't
   help) it tries to load the dwmapi.dll - and on XP and Win2k that
   dll doesn't exist. Which then leads to the problem.
   Basically, all applications that use the MFC are affected. So I'm
   sure that MS will soon provide an update.
   Only Win2k and XP are affected. If you're using Vista or Win7,
   your safe (with TSVN at least).
* We also use LoadLibrary("dwmapi.dll") in the nightly builds from
   trunk, but there we already call SetDllDirectory(L"") when we
   start the app. But that still leaves the same problem with MFC doing
   it the wrong way.

To sum up: you're safe if you haven't assigned a file type to open with
TortoiseProc or TortoiseMerge.


P.S.: if someone's interested: the problem part in MFC is in the file
afxglobals.cpp (and if I'm not mistaken, some other places too). The line
        m_hinstDwmapiDLL = ::AfxCtxLoadLibrary(_T("dwmapi.dll"));
tries to load the dwmapi.dll which doesn't exist on XP.
That's true for the MFC9 (comes with VS2008) and MFC10 (VS2010).

   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2010-08-30 22:58:45 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.