-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Squirrel exe Installer having Vulnerability Issue with urlmon.dll is not found #1801
Comments
Have a look at https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.defaultdllimportsearchpathsattribute that might help your scenario. |
URLMon in this case is probably used by the C++ code in Setup.exe. There are similar mitigations for other DLLs, this one probably needs to be mitigated as well |
I thought all the system DLLs were mitigated a long time ago. I'll take this, check it, and (if not) fix it. |
If it is the case, we probably need to delay-load urlmon.lib then explicitly LoadLibrary it via a full path (right? Am I remembering how to fix this correctly?) |
@anaisbetts Yes. |
@vyadav3 Could you try out the latest build to see if it addresses your urlmon.dll hijack: https://github.com/Squirrel/Squirrel.Windows/actions/runs/2416919466 (download the |
Hi @robmen Thanks for the build. We will test it and get back to you. |
Hi @robmen , |
@vyadav3 Hmm, I must be doing something wrong in my repro. Can you please provide a small sample application and all the files you use to reproduce this problem? It'd be great if you could put them into a GitHub repo for me to clone and build. |
Hi @robmen , I have created one repo and put all the needed things there so you can test it. I have also added one video to show the issue. |
Hi,
We have windows application developed using WPF (.Net Framework 4.8) and we have reported the Vulnerability Issue with the installer of this application.
So user downloads our installer (normally it's download folder) and double click to install it. It looks for urlmon.dll in the current directory and if any attacker place any Malicious dll with same name then it will be loaded first. So we created a proxy dll with name urlmon.dll which opens Calculator.
We were using urlmon.dll like below.
and when we run installer and check in procmon, it displays that urlmon is not found.
I have tried many ways so that it can look for urlmon into System Directory first, not in installer folder but any solution did not worked till now.
Also I have asked same thing on Microsoft Forums and they said it is the issue on Squirrel. Link:
https://docs.microsoft.com/en-us/answers/questions/812196/windows-exe-installer-having-vulnerability-issue-w.html?childToView=812422#comment-812422
I am stuck now completely, any help will be appreciated.
The text was updated successfully, but these errors were encountered: