Open-shell-menu: Installer: Prevent DLL hijacking attack

Created on 16 Aug 2018  路  10Comments  路  Source: Open-Shell/Open-Shell-Menu

DLL hijacking (planting) attack exploits the fact that by default DLLs are loaded from the same folder as main _executable_ file (when relative path is used to load DLL).

This is further mitigated by KnownDLLs. Those DLLs are always loaded from system folder no matter if they are present in _executable_'s folder or not.

Open-Shell installer depends on version.dll that is not part of _KnownDlls_ and thus it is vulnerable to DLL hijacking attack.

Malicious site can _trick_ the user to download malicious DLL into his _download_ folder. And if that user will download also Open-Shell installer and run it, malicious DLL may get loaded and executed.

The solution would be to get rid of version.dll dependency.
If not possible to eliminate it completely then we should at least not link to in statically and load the DLL during run-time using full path.

security

Most helpful comment

I don't have that kind of money and i have failed hardware to replace so it'll happen when the money does.

All 10 comments

Is there a way for you to apply a digital signature to the executables?

I didn't realize that they didn't have one till I just checked a few of them.

This is one option to help with confirming the software's authenticity.

Just providing a suggestion... :-)

~Ibuprophen

Is there a way for you to apply a digital signature to the executables?

Unfortunately, digital signing certificate costs some money. So we will need some kind of donations to be able to cover certificate costs.

I guess we should seriously consider this, because digital signatures help to prove authenticity of distributed binaries. It will also help to avoid various anti-malware product false-positives.

DigiCert is an option that I've used in the past that didn't cost me anything.

I believe that they're still a Reputable Company as well.

I would have to think back when I used to Digitally Sign various Software.

Today, I only really use Digital Signatures for Adobe, E-Mail's and such.

~Ibuprophen

DigiCert is an option that I've used in the past that didn't cost me anything.

Thanks for the tip, but according to DigiCert website the cost of code signing certificate is $178 per year (way too much for hobbyist free-time project 馃檨).

Unfortunately, digital signing certificate costs some money.

A precision is needed I think. Anyone CAN sign, even in a way that is user-verifiable. However MOST software entities and security suites only recognizes certificates issued by known, validated and trusted authorities, and that's where the money part comes from. These authorities will _sell_ you a certificate, that will be validated as "Authentic" and when the software finds that signature/certificate, it says "Okay, Big Company A certifies that this software is safe, let's stop snooping".

@ge0rdi, I should have looked this up first. My apologies!

I guess it's not free anymore with them but, when I chat with a (MS Connection) friend of mine before you resolve this situation, I'll ask his opinion/suggestion about the less priced options.

~Ibuprophen

@ge0rdi @XenHat I posted this at the other issue with the false positives but you must have missed it. The cheapest code signing certificate by a CA that is trusted everywhere is the open source code signing option by Certum: https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-on-simplysign.html

It is just 49 Euro/year, specifically for open source projects. That is not that hard to manage with donations.

I don't have that kind of money and i have failed hardware to replace so it'll happen when the money does.

@XenHat Perfectly understandable. This is why I suggested a donation button for the needs of the certificate. eg a call for donations for this purpose in Readme.md. :)

Yes there are plenty of us out here hoping you people get this program mainstream again put up a donation link somewhere we not so Technical people can find it we'll support this project

Was this page helpful?
0 / 5 - 0 ratings

Related issues

asianmusicguy picture asianmusicguy  路  3Comments

Ibuprophen picture Ibuprophen  路  3Comments

thunderpants picture thunderpants  路  4Comments

Gittyperson picture Gittyperson  路  3Comments

dertuxmalwieder picture dertuxmalwieder  路  4Comments