Login | Register
My pages Projects Community openCollabNet

Discussions > users > Re: Tortoise SVN latest vulnerable to Windows DLL hijacking

Project highlights: :. Download .: :. Support .: :. FAQ .: :. Translations .: :. Donate .: :. Report Bug .:

tortoisesvn
Discussion topic

Back to topic list

Re: Tortoise SVN latest vulnerable to Windows DLL hijacking

Author steveking
Full name Stefan Küng
Date 2010-08-30 13:58:37 PDT
Message On 30.08.2010 18:43, Nikhil Mittal wrote:
> Hi There,
>
> TortoiseSVN 1.6.10, Build 19898 ( latest available on tigris.org) is
> vulnerable to Windows DLL Hijacking vulnerability.
> http://www.microsoft​.com/technet/securit​y/advisory/2269637.m​spx
>
> I am able to gain a command shell with current user privileges using
> metasploit. This is to notify you please. Request your consent to make
> it public.

Now before people start panicking, here's a little information:
* yes, TortoiseProc and TortoiseMerge are vulnerable.
* no, it's not urgent. Because neither of those apps is assigned
   to a specific file type. So double-clicking on a file to open it
   with either of those apps is not possible unless you specifically
   assign a file type to open with TortoiseProc or TortoiseMerge.
   But since opening any file type with either of those apps
   is pretty useless because it doesn't do anything, the attack vector
   requires user interaction beforehand.
* no, we can't fix it. Here's why:
   We already load *all* our dlls with full paths, wherever we use
   the LoadLibrary() or LoadLibraryEx() APIs. But: the MFC library
   does not! When MFC gets initialized (and that's initialized before
   any code of ours is executed, so calling SetDllDirectory(L"") doesn't
   help) it tries to load the dwmapi.dll - and on XP and Win2k that
   dll doesn't exist. Which then leads to the problem.
   Basically, all applications that use the MFC are affected. So I'm
   sure that MS will soon provide an update.
   Only Win2k and XP are affected. If you're using Vista or Win7,
   your safe (with TSVN at least).
* We also use LoadLibrary("dwmapi.dll") in the nightly builds from
   trunk, but there we already call SetDllDirectory(L"") when we
   start the app. But that still leaves the same problem with MFC doing
   it the wrong way.

To sum up: you're safe if you haven't assigned a file type to open with
TortoiseProc or TortoiseMerge.


Stefan


P.S.: if someone's interested: the problem part in MFC is in the file
afxglobals.cpp (and if I'm not mistaken, some other places too). The line
    m_hinstDwmapiDLL = ::AfxCtxLoadLibrary(​_T("dwmapi.dll"));
tries to load the dwmapi.dll which doesn't exist on XP.
That's true for the MFC9 (comes with VS2008) and MFC10 (VS2010).

--
        ___
   oo // \\ "De Chelonian Mobile"
  (_,\/ \_/ \ TortoiseSVN
    \ \_/_\_/> The coolest Interface to (Sub)Version Control
    /_/ \_\ http://tortoisesvn.net

« Previous message in topic | 3 of 3 | Next message in topic »

Messages

Show all messages in topic

Tortoise SVN latest vulnerable to Windows DLL hijacking Nikhil Mittal <nikhil_uitrgpv at yahoo dot co dot in> Nikhil Mittal <nikhil_uitrgpv at yahoo dot co dot in> 2010-08-30 09:43:35 PDT
     Re: Tortoise SVN latest vulnerable to Windows DLL hijacking levyam Andy Levy 2010-08-30 09:55:28 PDT
     Re: Tortoise SVN latest vulnerable to Windows DLL hijacking steveking Stefan Küng 2010-08-30 13:58:37 PDT
Messages per page: