Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
1.4.1
-
None
Description
An internal audit has discovered the following security vulnerability, so would you kindly consider addressing this:
SLSL-179-UC-3-14 Insecure LoadLibrary() Call
|
|
|
Description:
|
The application loads a system DLL without specifying its path. As a result, if an attacker is able to plant a DLL with the same name in directory parsed first in the search path, it will be loaded instead.
|
The following code demonstrates this issue:
|
int sspi_init(
|
)
|
{
|
sspi_secur32_dll = LoadLibrary("secur32.dll");
|
if (!sspi_secur32_dll) {
|
return GetLastError();
|
}
|
...[SNIP]...
|
|
|
|
|
Recommendation:
|
Modify the LoadLibrary() call to specify the full path of the DLL in order to ensure only the intended version is used, rather than a planted malicious binary.
|
Reference file: