SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Amy Gale

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The LoadLibrary() or LoadLibraryEx() function calls [MSDN] allow you to dynamically load a library at runtime and uses use a specific algorithm to locate the library within the file system [MSDN].   It is possible for an attacker to place a file on the DLL search path such that your application inadvertently loads and executes arbitrary source code.

...

If an attacker were to place a malicious DLL named MyLibrary.dll higher on the search path than where the library resides, they she could trigger arbitrary code to execute either via the DllMain() entrypoint (which is called automatically by the system loader) , or by providing an implementation for MyFunction(), either of which would run within the security context of your application.   If your application runs with elevated privileges (such as a service application), this can cause an escalation of privileges could result.

 Compliant Compliant Solution

By refusing to load a library unless it is located precisely where expected, you reduce the chance to execute of executing arbitrary code when dynamically loading libraries.   The following code example This compliant solution uses LoadLibraryEx() to ensure that only the application and System32 directories are searched (eliminating other search paths such as the current directory or PATH environment variable).:

Code Block
bgColor#ccccff
langc
#include <Windows.h>
 
void func(void) {
  HMODULE hMod = LoadLibraryEx(TEXT("MyLibrary.dll"), NULL,
                               LOAD_LIBRARY_SEARCH_APPLICATION_DIR |
                               LOAD_LIBRARY_SEARCH_SYSTEM32);
  if (hMod != NULL) {
    typedef void (__cdecl func_type)(void);
    func_type *fn = (func_type *)GetProcAddress(hMod, "MyFunction");
    if (fn != NULL)
      fn();
  }
}

...

Depending on the version of Windows the application is run on, failure to properly specify the library can lead to arbitrary code execution.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

WIN00-C

high

High

unlikely

Unlikely

low

Low

P9

L2

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.PATH.AFXLOADLIBRARY
BADFUNC.PATH.COLOADLIBRARY
BADFUNC.PATH.LOADLIBRARY

Use of AfxLoadLibrary
Use of CoLoadLibrary
Use of LoadLibrary

Klocwork
Include Page
Klocwork_V
Klocwork_V
SV.DLLPRELOAD.NONABSOLUTE.DLL
SV.DLLPRELOAD.NONABSOLUTE.EXE
SV.DLLPRELOAD.SEARCHPATH
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-WIN00-a

Use care to ensure that LoadLibrary

Related Guidelines

  

Bibliography

  

...

() will load the correct library
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. WIN00-C


Checks for:

  • Load of library from a relative path can be controlled by external actor
  • Library loaded from externally controlled path.

Rec. partially covered.

Related Guidelines



Bibliography




...

Image ModifiedImage ModifiedImage Modified