[llvm] [Windows] Avoid loading shared libraries from load directory (PR #90520)

Daniel Paoliello via llvm-commits llvm-commits at lists.llvm.org
Mon Apr 29 16:39:05 PDT 2024


================
@@ -43,6 +43,10 @@ InitLLVM::InitLLVM(int &Argc, const char **&Argv,
   assert(!Initialized && "InitLLVM was already initialized!");
   Initialized = true;
 #endif
+#ifdef _WIN32
+  // Avoid searching the directory from which the application is loaded.
----------------
dpaoliello wrote:

And official MSRC guidance <https://msrc.microsoft.com/blog/2018/04/triaging-a-dll-planting-vulnerability/>:
"A DLL planting issue that falls into this category, Application Directory DLL planting, is treated as Defense-in-Depth issue that will be considered for updates in future versions only. We resolve any MSRC case that fall in this category as vNext consideration, mainly due to the amount of social engineering involved in the attack and the by design nature of the bug. A victim would have to be tricked into placing the malicious DLL (malware) where it can be triggered AND perform a non-recommended action (like running an installer in the same directory as the malware). A non-installed application has no reference point for “known good directory/binaries”, unless it creates the directory itself. Ideally, the installer should create a temporary directory with a randomized name (to prevent further DLL planting), extract its binaries to it and use them to install the application. While an attacker can make use of a drive-by download to place the malware on the victim’s system, such as into the “Downloads” folder, the essence of the attack is social engineering."

https://github.com/llvm/llvm-project/pull/90520


More information about the llvm-commits mailing list