Wireshark-bugs: [Wireshark-bugs] [Bug 5133] Wireshark vulnerable to DLL hijacking
Date: Tue, 24 Aug 2010 13:03:55 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5133

--- Comment #2 from Gerald Combs <gerald@xxxxxxxxxxxxx> 2010-08-24 13:03:54 PDT ---
According to Process Monitor, double-clicking a capture file results in the
following .dll/.sys load attempts in the CWD:

wireshark.exe    C:\path\to\Captures\SortServer2003Compat.dll
wireshark.exe    C:\path\to\Captures\riched20.dll
wireshark.exe    C:\path\to\Captures\wpcap.dll
wireshark.exe    C:\path\to\Captures\wpcap.dll
wireshark.exe    C:\path\to\Captures\packet.dll
wireshark.exe    C:\path\to\Captures\iphlpapi.dll
wireshark.exe    C:\path\to\Captures\WINNSI.DLL
wireshark.exe    C:\path\to\Captures\drivers\NPF.sys
wireshark.exe    C:\path\to\Captures\packet.dll
wireshark.exe    C:\path\to\Captures\libintl-8.dll
wireshark.exe    C:\path\to\Captures\CRYPTSP.dll
wireshark.exe    C:\path\to\Captures\NETAPI32.DLL
wireshark.exe    C:\path\to\Captures\netutils.dll
wireshark.exe    C:\path\to\Captures\srvcli.dll
wireshark.exe    C:\path\to\Captures\wkscli.dll
wireshark.exe    C:\path\to\Captures\dhcpcsvc6.DLL
wireshark.exe    C:\path\to\Captures\dhcpcsvc.DLL
dumpcap.exe    C:\path\to\Captures\USERENV.dll
dumpcap.exe    C:\path\to\Captures\profapi.dll
dumpcap.exe    C:\path\to\Captures\MPR.dll
dumpcap.exe    C:\path\to\Captures\UxTheme.dll
dumpcap.exe    C:\path\to\Captures\WINMM.dll
dumpcap.exe    C:\path\to\Captures\samcli.dll
dumpcap.exe    C:\path\to\Captures\MSACM32.dll
dumpcap.exe    C:\path\to\Captures\VERSION.dll
dumpcap.exe    C:\path\to\Captures\sfc.dll
dumpcap.exe    C:\path\to\Captures\sfc_os.DLL
dumpcap.exe    C:\path\to\Captures\dwmapi.dll
dumpcap.exe    C:\path\to\Captures\SHUNIMPL.DLL
dumpcap.exe    C:\path\to\Captures\SortServer2003Compat.dll
dumpcap.exe    C:\path\to\Captures\wpcap.dll
dumpcap.exe    C:\path\to\Captures\wpcap.dll
dumpcap.exe    C:\path\to\Captures\packet.dll
dumpcap.exe    C:\path\to\Captures\iphlpapi.dll
dumpcap.exe    C:\path\to\Captures\WINNSI.DLL
dumpcap.exe    C:\path\to\Captures\drivers\NPF.sys
dumpcap.exe    C:\path\to\Captures\dhcpcsvc6.DLL
dumpcap.exe    C:\path\to\Captures\dhcpcsvc.DLL
wireshark.exe    C:\path\to\Captures\ntmarta.dll

AirPcap.dll is missing because the PoC DLL was in the Captures directory at the
time, which means it loaded.

I don't think it's sufficient to prepend all of our LoadLibrary() /
g_module_open() calls with an explicit path. It looks like several of the
components we use call LoadLibrary() insecurely as well. I'm working on adding
a SetDllDirectory() call to each of our executables, but that doesn't protect
anything older than XP SP1.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.