Insecure DLL Call in Windows

Eion Robb eion at robbmob.com
Wed May 21 16:25:42 EDT 2014


Whether or not we perceive this to be a security flaw, this is not
something that we have control over as this is part of Gtk and not part of
Pidgin/libpurple.  It would be more appropriate to report it to Gtk+ instead


On 21 May 2014 23:36, NaxoneZ . <naxonez at gmail.com> wrote:

> Finally you accept this like a security issue flaw? :S
>
> Regards
>
> ---------- Forwarded message ----------
> From: NaxoneZ . <naxonez at gmail.com>
> Date: 2014-05-14 21:40 GMT+02:00
> Subject: Re: Insecure DLL Call in Windows
> To: Richard Laager <rlaager at pidgin.im>
>
>
> Sorry, I forgot to say you that this path dont exists in my system (really
> is necesary?).
>
> Regards and sorry for spam.
>
>
> 2014-05-14 21:39 GMT+02:00 NaxoneZ . <naxonez at gmail.com>:
>
> The problem is that an malware can aproach this insecure call and plant a
>> dll using the limited rights of the user.
>>
>> Normally the calls of this dll is in a "secure" folder like Windows or
>> Program files because a limited user cant write in these directories.
>>
>> You can obtain other examples here:
>> http://secunia.com/advisories/windows_insecure_library_loading/
>>
>> Regards and thanks :)
>>
>>
>>
>> 2014-05-14 21:13 GMT+02:00 Richard Laager <rlaager at pidgin.im>:
>>
>> On Wed, 2014-05-14 at 14:12 +0200, NaxoneZ . wrote:
>>>
>>> > How you can see if an attacker plant a dll in this paths (I tested
>>> > with %USERPROFILE%\.gtk-2.0\engine\libwimp.dll with this
>>> > DLL:
>>> http://www.binaryplanting.com/demo/windows_address_book/wab32res.dll
>>>
>>> I'm not sure how this is any different than the fact that Pidgin, like
>>> many programs, loads plugin DLLs from the user's home directory
>>> ("profile" in Windows speak). Any program which supports plugins allows
>>> the user to execute code.
>>>
>>> --
>>> Richard
>>>
>>
>>
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140522/eb31a6c5/attachment.html>


More information about the security mailing list