LoadLibraryEx() function calls [MSDN] allow you to dynamically load a library at runtime and use a specific algorithm to locate the library within the file system [MSDN]. It is possible for an attacker to place a file on the DLL search path such that your application inadvertently loads and executes arbitrary source code.
Noncompliant Code Example
If an attacker were to place a malicious DLL named MyLibrary.dll higher on the search path than where the library resides, she could trigger arbitrary code to execute either via the
DllMain() entrypoint (which is called automatically by the system loader) or by providing an implementation for
MyFunction(), either of which would run within the security context of your application. If your application runs with elevated privileges (such as a service application), an escalation of privileges could result.
By refusing to load a library unless it is located precisely where expected, you reduce the chance of executing arbitrary code when dynamically loading libraries. This compliant solution uses
LoadLibraryEx() to ensure that only the application and System32 directories are searched (eliminating other search paths such as the current directory or
PATH environment variable):
Depending on the version of Windows the application is run on, failure to properly specify the library can lead to arbitrary code execution.
|Use care to ensure that LoadLibrary() will load the correct library|
|Polyspace Bug Finder|
Using a library argument from an externally controlled path
Library loaded with relative path is vulnerable to malicious attacks