SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The LoadLibrary() or LoadLibraryEx() function calls [MSDN] allow you to dynamically load a library at runtime and uses a specific algorithm to locate the library within the file system [MSDN].  It is possible for an attacker to place a file on the DLL search path such that your application inadvertently loads and executes arbitrary source code.

Noncompliant Code Example

#include <Windows.h>
 
void func(void) {
  HMODULE hMod = LoadLibrary(TEXT("MyLibrary.dll"));
  if (hMod != NULL) {
    typedef void (__cdecl func_type)(void);
    func_type *fn = (func_type *)GetProcAddress(hMod, "MyFunction");
    if (fn != NULL)
      fn();
  }
}

If an attacker were to place a malicious DLL named MyLibrary.dll higher on the search path than where the library resides, they could trigger arbitrary code to execute either via the DllMain() entrypoint (which is called automatically by the system loader), or by providing an implementation for MyFunction(), either of which would run within the security context of your application.  If your application runs with elevated privileges (such as a service application), this can cause an escalation of privileges.

 Compliant Solution

By refusing to load a library unless it is located precisely where expected, you reduce the chance to execute arbitrary code when dynamically loading libraries.  The following code example uses LoadLibraryEx() to ensure that only the application and System32 directories are searched (eliminating other search paths such as the current directory or PATH environment variable).

#include <Windows.h>
 
void func(void) {
  HMODULE hMod = LoadLibraryEx(TEXT("MyLibrary.dll"), NULL,
                               LOAD_LIBRARY_SEARCH_APPLICATION_DIR |
                               LOAD_LIBRARY_SEARCH_SYSTEM32);
  if (hMod != NULL) {
    typedef void (__cdecl func_type)(void);
    func_type *fn = (func_type *)GetProcAddress(hMod, "MyFunction");
    if (fn != NULL)
      fn();
  }
}

Risk Assessment

Depending on the version of Windows the application is run on, failure to properly specify the library can lead to arbitrary code execution.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

WIN00-C

high

unlikely

low

P9

L2

Automated Detection

Tool

Version

Checker

Description

CodeSonar8.1p0

BADFUNC.PATH.AFXLOADLIBRARY

BADFUNC.PATH.COLOADLIBRARY

BADFUNC.PATH.LOADLIBRARY

Use of AfxLoadLibrary

Use of CoLoadLibrary

Use of LoadLibrary

Related Guidelines

  

Bibliography

  

 

  • No labels