"Unsafe DLL Loading", Do I need to release a security advisory?

[rcmaehl]

Hi all,

Recently one of my applications was slammed by a security researcher that it

• is EXTREMELY UNSAFE crap,... ignores all of Microsoft's security recommendations for the safe loading of DLLs and applications:
• It loads more than a dozen system DLLs from its "installation directory" (at Ordinary abusers typically use the "Downloads" directory instead of the Windows system directory C:\Windows\System32 and execute this with administrator rights;
• It executes any DLL, stupidly also with administrator rights, ie this SCHROTT allows "escalation of privilege".

Or well that's what the rough translation is. Actual text is

•  ist ÜBLER UNSICHERER Schrott... das alle Sicherheitsempfehlungen Microsofts zum sicheren Laden von DLLs und Anwendungen ignoriert:
• es lädt mehr als ein Dutzend System-DLLs aus seinem „Installations-Verzeichnis“ (bei Otto Normalmissbraucher typischerweise das „Downloads“-Verzeichnis) statt aus dem Windows-System-Verzeichnis C:\Windows\System32 und führt diese mit Administratorrechten aus;
•  es führt eine beliebige DLL aus, dümmsterweise auch mit Administratorrechten,
  d.h. dieser SCHROTT erlaubt „escalation of privilege“.

For the first point. I'm only using a 5 DllCalls, Does DLLCall check the Working Directory before System Directory, or even at all? (I don't know how to make DLLs, so I can't test) If so, shouldn't be made not the case by default to prevent dll hijacking? If not, how can I better protect the end users? Are the built Includes also checking Working Directory before System Directory?

For the second point, what is the best way to manage DLL and process privilege levels? I see AutoIt by default uses AsInvoker by default. Is there anyway to easily adjust this script wide?

Are there any other security concerns that I should be aware of? I have about 300k downloads currently as well, should I issue a security advisory or create a CVE for my application?

Thanks in advance

Edited June 29, 2021 by rcmaehl

[argumentum]

Declare your path on the loading of a DLL. As default the OS ( windows ), will load from current folder, then search in the path. So declare the path and do your own path search. Now, if someone can copy, just plain copy a DLL to where your app. is at, might as well do anything else to that PC. Or would it need your app. lo load a DLL ??
If your app. is the installer, then there is the possibility of loading the wrong thing but it'd be very strange for such DLL to be just sitting there.

Do change that "SCHROTT" to open the DLL with your own path declaration and use the handle for the calls. Change the WorkingDir to WindowsDir to avoid side loading ?
Other than that, I would not do much. Maybe announce a new version, so the researcher feel happy he saved countless PCs

Unless you post a piece of code ( the part that looks insecure ), I would not know what else to say.

[rcmaehl]

Thanks for the reply, Also

44 minutes ago, argumentum said:

Change the WorkingDir to WindowsDir to avoid side loading ?

Is pretty genius, as if put before includes, prevents any sideload issues in UDFs as well. Thanks

[TheDcoder]

I am curious, as this application seems to be a public do you mind sharing it here?

[rcmaehl]

Just now, TheDcoder said:

I am curious, as this application seems to be a public do you mind sharing it here?

Fine

https://github.com/rcmaehl/WhyNotWin11

I'm sure some of the more experienced coders will cringe at various sections.

[TheDcoder]

That's a nice application, and wow, looks like the project blew up in a short amount of time, where did you post it to get such reach?

[rcmaehl]

Just now, TheDcoder said:

That's a nice application, and wow, looks like the project blew up in a short amount of time, where did you post it to get such reach?

A couple discord servers the day of the announcement once I realized the official tool was 💩 and like 3 small reddit threads (< 50 karma)

[TheDcoder]

It is a very nice application, good job

[rcmaehl]

6 minutes ago, TheDcoder said:

It is a very nice application, good job

Code Suggestions are Appreciated (especially #162) 👉👈

Edited June 30, 2021 by rcmaehl

[TheDcoder]

13 minutes ago, rcmaehl said:

#162

WMI and PowerShell are not really my things, I never used them aside from one WMI query that I copied from somewhere

Looks like there are a lot of open issues and feature requests etc. which are keeping you very busy (saw your post that you wrote at 2 AM), best of luck keeping on top of it

[water]

15 hours ago, rcmaehl said:

•  ist ÜBLER UNSICHERER Schrott... das alle Sicherheitsempfehlungen Microsofts zum sicheren Laden von DLLs und Anwendungen ignoriert:
• es lädt mehr als ein Dutzend System-DLLs aus seinem „Installations-Verzeichnis“ (bei Otto Normalmissbraucher typischerweise das „Downloads“-Verzeichnis) statt aus dem Windows-System-Verzeichnis C:\Windows\System32 und führt diese mit Administratorrechten aus;
•  es führt eine beliebige DLL aus, dümmsterweise auch mit Administratorrechten,
  d.h. dieser SCHROTT erlaubt „escalation of privilege“.

I would immediately move to another security researcher. The wording he uses to describe the security issues is extremely unprofessional.
I would expect

• a professional and detailed description of the security problems
• A score for each issue based on a recognized rating scale
• Links to the security recommandations he refers to ("Microsoft's security recommendations for the safe loading of DLLs and applications")
• detailed measures to address these security issues

In my opinion this "security check and report" is Schrott.

BTW: I work in IT-security, so I know what I'm talking about

Edited June 30, 2021 by water

[mLipok]

@rcmaehl you was mentioned here:

https://www.dobreprogramy.pl/whynotwin11-sprawdz-czy-zainstalujesz-windows-11-i-dowiedz-sie-dlaczego-nie,6655486176307776a

btw.

I notice problem with selecting my language.
Will dig into this but waitng for all PR will be accepted/rejected, as I have few other changes to do.

Edited June 30, 2021 by mLipok

[Skysnake]

@rcmaehl please consider publishing this on the Wiki?