ericstj
commented
2 years ago Have a look at https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.defaultdllimportsearchpathsattribute that might help your scenario.
Open vyadav3 opened 2 years ago
ericstj
commented
2 years ago Have a look at https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.defaultdllimportsearchpathsattribute that might help your scenario.
anaisbetts
commented
2 years ago URLMon in this case is probably used by the C++ code in Setup.exe. There are similar mitigations for other DLLs, this one probably needs to be mitigated as well
robmen
commented
2 years ago I thought all the system DLLs were mitigated a long time ago. I'll take this, check it, and (if not) fix it.
anaisbetts
commented
2 years ago If it is the case, we probably need to delay-load urlmon.lib then explicitly LoadLibrary it via a full path (right? Am I remembering how to fix this correctly?)
robmen
commented
2 years ago @anaisbetts Yes.
robmen
commented
2 years ago @vyadav3 Could you try out the latest build to see if it addresses your urlmon.dll hijack: https://github.com/Squirrel/Squirrel.Windows/actions/runs/2416919466 (download the artifacts from that build, it will contain the latest Squirrel.nupkg).
vyadav3
commented
2 years ago Hi @robmen Thanks for the build. We will test it and get back to you.
vyadav3
commented
2 years ago Hi @robmen , Unfortunately, the issue is still reproducible on given artifacts.
robmen
commented
2 years ago @vyadav3 Hmm, I must be doing something wrong in my repro. Can you please provide a small sample application and all the files you use to reproduce this problem? It'd be great if you could put them into a GitHub repo for me to clone and build.
vyadav3
commented
2 years ago Hi @robmen ,
I have created one repo and put all the needed things there so you can test it. I have also added one video to show the issue. you only need to place urlmon.dll and exe installer into same folder. https://github.com/vyadav3/urlmonIssue
Hi,
We have windows application developed using WPF (.Net Framework 4.8) and we have reported the Vulnerability Issue with the installer of this application.
So user downloads our installer (normally it's download folder) and double click to install it. It looks for urlmon.dll in the current directory and if any attacker place any Malicious dll with same name then it will be loaded first. So we created a proxy dll with name urlmon.dll which opens Calculator.
We were using urlmon.dll like below.
and when we run installer and check in procmon, it displays that urlmon is not found.
I have tried many ways so that it can look for urlmon into System Directory first, not in installer folder but any solution did not worked till now. Also I have asked same thing on Microsoft Forums and they said it is the issue on Squirrel. Link: https://docs.microsoft.com/en-us/answers/questions/812196/windows-exe-installer-having-vulnerability-issue-w.html?childToView=812422#comment-812422
I am stuck now completely, any help will be appreciated.