search

Syncplay / syncplay

Client/server to synchronize media playback on mpv/VLC/MPC-HC/MPC-BE on many computers
http://syncplay.pl/
Apache License 2.0
2.1k stars 214 forks source link

Installer vulnerable to DLL side-loading #121

Closed CrossVR closed 7 years ago

CrossVR commented 7 years ago

Just a friendly reminder to update the version of NSIS you are using to compile the installer to a more recent version. Currently it will load malicious DLLs in the user's Downloads directory as explained here: https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/

Et0h commented 7 years ago

Thanks for the heads up. Syncplay currently uses NSIS 2.46.5-Unicode but it sounds like we may need to port things over to NSIS 3 (which now has Unicode support by default).

CrossVR commented 7 years ago

According to the article updating to 2.5 should also fix it without needing to port stuff to NSIS 3.

Et0h commented 7 years ago

Are there any trustworthy builds of NSIS Unicode updated to 2.5?

https://code.google.com/archive/p/unsis/downloads only goes up to 2.46.5 (the version I am currently on, which is susceptible to the DLL hijack vector).

The most recent post on the official NSIS Unicode thread at http://forums.winamp.com/showpost.php?p=3050784&postcount=571 is from March 2016 and states: "The old Unicode NSIS 2 hasn't been rebuilt in a stable release in quite a while. There were still code contributions trickling in after the last stable. It is vulnerable to the DLL hijack issue that the latest NSIS2 and NSIS3b3 releases patched. I'd recommend switching to NSIS3b3."

CrossVR commented 7 years ago

I'm guessing these are the ASCII builds then? https://sourceforge.net/projects/nsis/files/NSIS%202/

Et0h commented 7 years ago

Yes, although I think that technically they are not called 'ASCII builds' of NSIS but are instead referred to as 'ANSI builds' of NSIS. Whatever the terminology, they are not Unicode builds of NSIS.

According to https://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System "Versions of NSIS before 3.0 did not support Unicode, but only a means to convert some files to different encodings via a plugin. However, a variant of NSIS that has full Unicode support is available [i.e. the Unicode version I discussed above]".

Et0h commented 7 years ago

buildPy2exe.py should now be compatible with NSIS 3 so future builds of Syncplay will not be susceptible to the DLL side-loading vulnerability :)

CrossVR commented 7 years ago

Thanks 👍