[GODRIVER-1757] Security Vulnerability: system DLL loaded without path specified Created: 28/Sep/20  Updated: 28/Oct/23  Resolved: 26/Oct/20

Status: Closed
Project: Go Driver
Component/s: Authentication
Affects Version/s: 1.4.1
Fix Version/s: 1.4.3

Type: Bug Priority: Major - P3
Reporter: J M Assignee: Divjot Arora (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related

 Description   

An internal audit has discovered the following security vulnerability, so would you kindly consider addressing this:

SLSL-179-UC-3-14 Insecure LoadLibrary() Call	  
 
Description:
The application loads a system DLL without specifying its path. As a result, if an attacker is able to plant a DLL with the same name in directory parsed first in the search path, it will be loaded instead.
The following code demonstrates this issue:
int sspi_init(
)
{
	sspi_secur32_dll = LoadLibrary("secur32.dll");
	if (!sspi_secur32_dll) {
		return GetLastError();
	}
...[SNIP]...
 
 
Recommendation:
Modify the LoadLibrary() call to specify the full path of the DLL in order to ensure only the intended version is used, rather than a planted malicious binary.

Reference file:

https://github.com/mongodb/mongo-go-driver/blob/c2a43c080082db26ed2d6fb44026ce1d00a983a7/x/mongo/driver/auth/internal/gssapi/sspi_wrapper.c

 



 Comments   
Comment by Githook User [ 26/Oct/20 ]

Author:

{'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}

Message: GODRIVER-1757 Specify exact path for LoadLibrary call (#522)
Branch: release/1.4
https://github.com/mongodb/mongo-go-driver/commit/68d5da15ee7e5203ef9ca4107c98b3df985f6868

Comment by Githook User [ 26/Oct/20 ]

Author:

{'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}

Message: GODRIVER-1757 Specify exact path for LoadLibrary call (#522)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/b28dec6a04caea7af0ca0e5ec65e228cd32304af

Comment by Divjot Arora (Inactive) [ 20/Oct/20 ]

https://github.com/mongodb/mongo-go-driver/pull/522

Comment by Divjot Arora (Inactive) [ 12/Oct/20 ]

Hi jmedlock@microsoft.com,

Apologies for the delay in responding. I'm currently looking into two potential solutions:

  1. Specify the full path. This may be a backwards-breaking behavioral change, but secur32.dll is a system library, not a custom one that we provide, so it might be OK for us to only look for it in the standard system paths. I'm currently looking into where this library is DLL is located and whether that location differs in various Windows versions.
  2. Use either LoadLibraryExA or LoadLibraryExW with the LOAD_LIBRARY_SEARCH_SYSTEM32 flag, which would only allow the linker to look for those libraries in system directories. That flag is not supported on Windows XP, however, so I'm also figuring out if that would be a reasonable restriction.

Once we've designed on a path forward, I'll update this ticket.

– Divjot

Generated at Thu Feb 08 08:37:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.