From cf7f70c25d399ea3d194bcc7d8c797b609b53959 Mon Sep 17 00:00:00 2001 From: jonilaitinen Date: Sun, 13 Feb 2022 13:26:55 +0800 Subject: [PATCH] win: restrict system DLL load paths (#3395) Currently `LoadLibraryA` call first attempts to load the given DLL from the application working directory before loading it from the system DLL path. This may pose a security risk if an attacker is able to place a malicious DLL into the application working directory as that DLL will be loaded instead of the system DLL. This is especially dangerous if the application is running with elevated privileges. This changes the DLL loading to use `LoadLibraryExA` method with `LOAD_LIBRARY_SEARCH_SYSTEM32` flag which restricts the DLL load path to system DLL path, ignoring any DLLs in the application working directory. --- src/win/winapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/win/winapi.c b/src/win/winapi.c index bf306cd8..c04af61b 100644 --- a/src/win/winapi.c +++ b/src/win/winapi.c @@ -126,19 +126,19 @@ void uv_winapi_init(void) { kernel32_module, "GetQueuedCompletionStatusEx"); - powrprof_module = LoadLibraryA("powrprof.dll"); + powrprof_module = LoadLibraryExA("powrprof.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32); if (powrprof_module != NULL) { pPowerRegisterSuspendResumeNotification = (sPowerRegisterSuspendResumeNotification) GetProcAddress(powrprof_module, "PowerRegisterSuspendResumeNotification"); } - user32_module = LoadLibraryA("user32.dll"); + user32_module = GetModuleHandleA("user32.dll"); if (user32_module != NULL) { pSetWinEventHook = (sSetWinEventHook) GetProcAddress(user32_module, "SetWinEventHook"); } - ws2_32_module = LoadLibraryA("ws2_32.dll"); + ws2_32_module = GetModuleHandleA("ws2_32.dll"); if (ws2_32_module != NULL) { pGetHostNameW = (uv_sGetHostNameW) GetProcAddress( ws2_32_module,