Windows DLL hijacking
Project curl Security Advisory, May 30th 2016 - Permalink
libcurl would load Windows system DLLs in a manner that may make it vulnerable to a DLL hijacking (aka binary planting) attack in certain configurations.
libcurl has a unified code base that builds and runs on a multitude of different versions of Windows. To make that possible, when libcurl is built with SSPI or telnet is used, it dynamically loads some of the necessary system DLLs at run-time by calling
LoadLibrary(). No path is specified for these DLLs.
To find a DLL when no path is specified
LoadLibrary() follows DLL search order to load it. If it is a "known DLL" no searching is done, the system copy is used. If it is not a "known DLL": The application directory is searched first. The current directory is searched next, if DLL safe search mode isn't enabled. The system directory is searched next.
The 3 system DLLs libcurl loads dynamically are
ws2_32.dll (a "known DLL" when installed). These DLLs may not be present on some versions of Windows, which is why they are loaded dynamically. Depending on a number of factors outlined in the DLL search order document it may be possible for an attacker to plant a DLL of the same name in the user's current directory, application directory or other directory in the DLL search order, thereby possibly causing it to be loaded first.
Recent versions of Windows include all 3 of those dynamically loaded system DLLs and also enable safe DLL search mode by default. Therefore in such a case
ws2_32.dll could not be planted, and
secur32.dll could only be planted in the application directory.
To address this issue we have changed libcurl so that any system DLL it dynamically loads in Windows is done in the most secure way available.
Note if an attacker has the ability to write new files to your application directory they can likely still plant DLLs to be loaded in any case, load-time or run-time. This is by design in Windows DLL loading (refer the the DLL search order doc). For example it may be possible to override DLL search paths by planting an app.exe.local file or possibly a fake manifest. There is nothing we can do to prevent against this. We advise you to guard write permissions on your application directory.
Also note it is may still be possible for planting attacks to be done against load-time DLLs used by libcurl and the curl tool. This is because Windows loads those DLLs and their dependencies without specifying a path. There is nothing we can do to fix this, it is endemic in the design of Windows. We advise you to guard write permissions on your application directory.
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-4802 to this issue.
CWE-94: Improper Control of Generation of Code ('Code Injection')
This flaw is relevant for all versions of curl and libcurl on Windows that support SSPI or Telnet.
- Affected versions: libcurl 7.11.1 to and including 7.49.0
- Not affected versions: libcurl < 7.11.1 and libcurl >= 7.49.1
libcurl is used by many applications, but not always advertised as such!
In version 7.49.1, libcurl loads DLLs from the Windows system directory, either via
LOAD_LIBRARY_SEARCH_SYSTEM32, where supported, or by explicitly finding the system directory.
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 7.49.1
B - Apply the patch to your version and rebuild
C - Build your libcurl without SSPI and Telnet support enabled
Additionally in any case you should secure write permissions to your application directory and if you are using the curl tool exercise judicious use of
--remote-header-name (also usable as
-J option when combined with
-O lets the server choose the file name. A rogue server could send you the name of a DLL or other file that could be used in a planting attack.
It was first reported to the curl project on May 7 2016. We contacted MITRE on May 13.
libcurl 7.49.1 was released on May 30 2016, coordinated with the publication of this advisory.
- Reported-by: Guohui from Huawei WeiRan Labs
- Patched-by: Steve Holme
- Help-by: Stefan Kanthak, Jay Satiro
Thanks a lot!