rcmaehl Posted June 29, 2021 Share Posted June 29, 2021 (edited) Hi all, Recently one of my applications was slammed by a security researcher that it is EXTREMELY UNSAFE crap,... ignores all of Microsoft's security recommendations for the safe loading of DLLs and applications: It loads more than a dozen system DLLs from its "installation directory" (at Ordinary abusers typically use the "Downloads" directory instead of the Windows system directory C:\Windows\System32 and execute this with administrator rights; It executes any DLL, stupidly also with administrator rights, ie this SCHROTT allows "escalation of privilege". Or well that's what the rough translation is. Actual text is ist ÜBLER UNSICHERER Schrott... das alle Sicherheitsempfehlungen Microsofts zum sicheren Laden von DLLs und Anwendungen ignoriert: es lädt mehr als ein Dutzend System-DLLs aus seinem „Installations-Verzeichnis“ (bei Otto Normalmissbraucher typischerweise das „Downloads“-Verzeichnis) statt aus dem Windows-System-Verzeichnis C:\Windows\System32 und führt diese mit Administratorrechten aus; es führt eine beliebige DLL aus, dümmsterweise auch mit Administratorrechten, d.h. dieser SCHROTT erlaubt „escalation of privilege“. For the first point. I'm only using a 5 DllCalls, Does DLLCall check the Working Directory before System Directory, or even at all? (I don't know how to make DLLs, so I can't test) If so, shouldn't be made not the case by default to prevent dll hijacking? If not, how can I better protect the end users? Are the built Includes also checking Working Directory before System Directory? For the second point, what is the best way to manage DLL and process privilege levels? I see AutoIt by default uses AsInvoker by default. Is there anyway to easily adjust this script wide? Are there any other security concerns that I should be aware of? I have about 300k downloads currently as well, should I issue a security advisory or create a CVE for my application? Thanks in advance Edited June 29, 2021 by rcmaehl TheDcoder 1 My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.My Projects WhyNotWin11Cisco Finesse, Github, IRC UDF, WindowEx UDF Link to comment Share on other sites More sharing options...
argumentum Posted June 29, 2021 Share Posted June 29, 2021 Declare your path on the loading of a DLL. As default the OS ( windows ), will load from current folder, then search in the path. So declare the path and do your own path search. Now, if someone can copy, just plain copy a DLL to where your app. is at, might as well do anything else to that PC. Or would it need your app. lo load a DLL ?? If your app. is the installer, then there is the possibility of loading the wrong thing but it'd be very strange for such DLL to be just sitting there. Do change that "SCHROTT" to open the DLL with your own path declaration and use the handle for the calls. Change the WorkingDir to WindowsDir to avoid side loading ? Other than that, I would not do much. Maybe announce a new version, so the researcher feel happy he saved countless PCs Unless you post a piece of code ( the part that looks insecure ), I would not know what else to say. TheDcoder and rcmaehl 2 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
rcmaehl Posted June 29, 2021 Author Share Posted June 29, 2021 Thanks for the reply, Also 44 minutes ago, argumentum said: Change the WorkingDir to WindowsDir to avoid side loading ? Is pretty genius, as if put before includes, prevents any sideload issues in UDFs as well. Thanks argumentum 1 My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.My Projects WhyNotWin11Cisco Finesse, Github, IRC UDF, WindowEx UDF Link to comment Share on other sites More sharing options...
TheDcoder Posted June 30, 2021 Share Posted June 30, 2021 I am curious, as this application seems to be a public do you mind sharing it here? EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion Link to comment Share on other sites More sharing options...
rcmaehl Posted June 30, 2021 Author Share Posted June 30, 2021 Just now, TheDcoder said: I am curious, as this application seems to be a public do you mind sharing it here? Fine https://github.com/rcmaehl/WhyNotWin11 I'm sure some of the more experienced coders will cringe at various sections. My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.My Projects WhyNotWin11Cisco Finesse, Github, IRC UDF, WindowEx UDF Link to comment Share on other sites More sharing options...
TheDcoder Posted June 30, 2021 Share Posted June 30, 2021 That's a nice application, and wow, looks like the project blew up in a short amount of time, where did you post it to get such reach? EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion Link to comment Share on other sites More sharing options...
rcmaehl Posted June 30, 2021 Author Share Posted June 30, 2021 Just now, TheDcoder said: That's a nice application, and wow, looks like the project blew up in a short amount of time, where did you post it to get such reach? A couple discord servers the day of the announcement once I realized the official tool was 💩 and like 3 small reddit threads (< 50 karma) TheDcoder 1 My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.My Projects WhyNotWin11Cisco Finesse, Github, IRC UDF, WindowEx UDF Link to comment Share on other sites More sharing options...
TheDcoder Posted June 30, 2021 Share Posted June 30, 2021 It is a very nice application, good job EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion Link to comment Share on other sites More sharing options...
rcmaehl Posted June 30, 2021 Author Share Posted June 30, 2021 (edited) 6 minutes ago, TheDcoder said: It is a very nice application, good job Code Suggestions are Appreciated (especially #162) 👉👈 Edited June 30, 2021 by rcmaehl TheDcoder 1 My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.My Projects WhyNotWin11Cisco Finesse, Github, IRC UDF, WindowEx UDF Link to comment Share on other sites More sharing options...
TheDcoder Posted June 30, 2021 Share Posted June 30, 2021 13 minutes ago, rcmaehl said: #162 WMI and PowerShell are not really my things, I never used them aside from one WMI query that I copied from somewhere Looks like there are a lot of open issues and feature requests etc. which are keeping you very busy (saw your post that you wrote at 2 AM), best of luck keeping on top of it EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion Link to comment Share on other sites More sharing options...
water Posted June 30, 2021 Share Posted June 30, 2021 (edited) 15 hours ago, rcmaehl said: ist ÜBLER UNSICHERER Schrott... das alle Sicherheitsempfehlungen Microsofts zum sicheren Laden von DLLs und Anwendungen ignoriert: es lädt mehr als ein Dutzend System-DLLs aus seinem „Installations-Verzeichnis“ (bei Otto Normalmissbraucher typischerweise das „Downloads“-Verzeichnis) statt aus dem Windows-System-Verzeichnis C:\Windows\System32 und führt diese mit Administratorrechten aus; es führt eine beliebige DLL aus, dümmsterweise auch mit Administratorrechten, d.h. dieser SCHROTT erlaubt „escalation of privilege“. I would immediately move to another security researcher. The wording he uses to describe the security issues is extremely unprofessional. I would expect a professional and detailed description of the security problems A score for each issue based on a recognized rating scale Links to the security recommandations he refers to ("Microsoft's security recommendations for the safe loading of DLLs and applications") detailed measures to address these security issues In my opinion this "security check and report" is Schrott. BTW: I work in IT-security, so I know what I'm talking about Edited June 30, 2021 by water seadoggie01, TheDcoder and Skysnake 2 1 My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki Link to comment Share on other sites More sharing options...
mLipok Posted June 30, 2021 Share Posted June 30, 2021 (edited) @rcmaehl you was mentioned here: https://www.dobreprogramy.pl/whynotwin11-sprawdz-czy-zainstalujesz-windows-11-i-dowiedz-sie-dlaczego-nie,6655486176307776a btw. I notice problem with selecting my language. Will dig into this but waitng for all PR will be accepted/rejected, as I have few other changes to do. Edited June 30, 2021 by mLipok TheDcoder 1 Signature beginning:* Please remember: "AutoIt"..... * Wondering who uses AutoIt and what it can be used for ? * Forum Rules ** ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Code * for other useful stuff click the following button: Spoiler Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST API * ErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 * My contribution to others projects or UDF based on others projects: * _sql.au3 UDF * POP3.au3 UDF * RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF * SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane * Useful links: * Forum Rules * Forum etiquette * Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * Wiki: * Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX IE Related: * How to use IE.au3 UDF with AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskScheduler * IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related: * How to get reference to PDF object embeded in IE * IE on Windows 11 * I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions * EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *I also encourage you to check awesome @trancexx code: * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuff * OnHungApp handler * Avoid "AutoIt Error" message box in unknown errors * HTML editor * winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/ "Homo sum; humani nil a me alienum puto" - Publius Terentius Afer"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming" , be and \\//_. Anticipating Errors : "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty." Signature last update: 2023-04-24 Link to comment Share on other sites More sharing options...
Skysnake Posted August 25, 2021 Share Posted August 25, 2021 @rcmaehl please consider publishing this on the Wiki? Skysnake Why is the snake in the sky? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now