nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00
Code Issues Projects Releases Wiki Activity

Load winmm.dll (for PlaySound()) at run time.

Browse Source 
It's not on the default list of important system 'known DLLs' stored
at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs (see
https://isc.sans.edu/forums/diary/DLL+hijacking+vulnerabilities/9445/ )
which apparently makes it exempt from Windows's standard DLL hijacking
defence, i.e. if an executable links against it in the normal way then
that executable will be vulnerable to DLL hijacking from a file called
winmm.dll in the same directory as it.

The solution is to load it dynamically _after_ we've locked down our
DLL search path, which fortunately PuTTY's code base is well used to
doing already for other DLLs.
This commit is contained in:
Simon Tatham 2017-03-13 21:24:06 +00:00
parent b189df947d
commit 73039b7831
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Recipe
View File

@ -274,7 +274,7 @@ CHARSET = sbcsdat slookup sbcs utf8 toucs fromucs xenc mimeenc macenc localenc
# Standard libraries.
LIBS = advapi32.lib user32.lib gdi32.lib comctl32.lib comdlg32.lib
+ shell32.lib winmm.lib imm32.lib winspool.lib ole32.lib
+ shell32.lib imm32.lib winspool.lib ole32.lib
# Network backend sets. This also brings in the relevant attachment
# to proxy.c depending on whether we're crypto-avoidant or not.

8
windows/window.c
View File

@ -3949,12 +3949,14 @@ int char_width(Context ctx, int uc) {
DECL_WINDOWS_FUNCTION(static, BOOL, FlashWindowEx, (PFLASHWINFO));
DECL_WINDOWS_FUNCTION(static, BOOL, ToUnicodeEx,
(UINT, UINT, const BYTE *, LPWSTR, int, UINT, HKL));
DECL_WINDOWS_FUNCTION(static, BOOL, PlaySound, (LPCTSTR, HMODULE, DWORD));
static void init_winfuncs(void)
{
HMODULE user32_module = load_system32_dll("user32.dll");
HMODULE winmm_module = load_system32_dll("winmm.dll");
GET_WINDOWS_FUNCTION(user32_module, FlashWindowEx);
GET_WINDOWS_FUNCTION(user32_module, ToUnicodeEx);
GET_WINDOWS_FUNCTION_PP(winmm_module, PlaySound);
}
/*
@ -5540,8 +5542,8 @@ void do_beep(void *frontend, int mode)
lastbeep = GetTickCount();
} else if (mode == BELL_WAVEFILE) {
Filename *bell_wavefile = conf_get_filename(conf, CONF_bell_wavefile);
if (!PlaySound(bell_wavefile->path, NULL,
SND_ASYNC | SND_FILENAME)) {
if (!p_PlaySound || !p_PlaySound(bell_wavefile->path, NULL,
SND_ASYNC | SND_FILENAME)) {
char buf[sizeof(bell_wavefile->path) + 80];
char otherbuf[100];
sprintf(buf, "Unable to play sound file\n%s\n"