Windows Squirrel exe Installer having Vulnerability Issue with urlmon.dll is not found

[vyadav3]

Hi,

We have windows application developed using WPF (.Net Framework 4.8) and we have reported the Vulnerability Issue with the installer of this application.

So user downloads our installer (normally it's download folder) and double click to install it. It looks for urlmon.dll in the current directory and if any attacker place any Malicious dll with same name then it will be loaded first. So we created a proxy dll with name urlmon.dll which opens Calculator.

We were using urlmon.dll like below.

and when we run installer and check in procmon, it displays that urlmon is not found.

I have tried many ways so that it can look for urlmon into System Directory first, not in installer folder but any solution did not worked till now.
Also I have asked same thing on Microsoft Forums and they said it is the issue on Squirrel. Link:
https://docs.microsoft.com/en-us/answers/questions/812196/windows-exe-installer-having-vulnerability-issue-w.html?childToView=812422#comment-812422

I am stuck now completely, any help will be appreciated.

[ericstj]

Have a look at https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.defaultdllimportsearchpathsattribute that might help your scenario.

[anaisbetts]

URLMon in this case is probably used by the C++ code in Setup.exe. There are similar mitigations for other DLLs, this one probably needs to be mitigated as well

[robmen]

I thought all the system DLLs were mitigated a long time ago. I'll take this, check it, and (if not) fix it.

[anaisbetts]

If it is the case, we probably need to delay-load urlmon.lib then explicitly LoadLibrary it via a full path (right? Am I remembering how to fix this correctly?)

[robmen]

@anaisbetts Yes.

[robmen]

@vyadav3 Could you try out the latest build to see if it addresses your urlmon.dll hijack: https://github.com/Squirrel/Squirrel.Windows/actions/runs/2416919466 (download the artifacts from that build, it will contain the latest Squirrel.nupkg).

[vyadav3]

Hi @robmen Thanks for the build. We will test it and get back to you.

[vyadav3]

Hi @robmen ,
Unfortunately, the issue is still reproducible on given artifacts.

[robmen]

@vyadav3 Hmm, I must be doing something wrong in my repro. Can you please provide a small sample application and all the files you use to reproduce this problem? It'd be great if you could put them into a GitHub repo for me to clone and build.

[vyadav3]

Hi @robmen ,

I have created one repo and put all the needed things there so you can test it. I have also added one video to show the issue.
you only need to place urlmon.dll and exe installer into same folder.
https://github.com/vyadav3/urlmonIssue