Vigil@nce - cURL: code execution via DLL searching
August 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can hijack the Winbdows DLL loading mechanism as used
by cURL, in order to run code.
Impacted products: cURL.
Severity: 2/4.
Creation date: 30/05/2016.
DESCRIPTION OF THE VULNERABILITY
The product cURL is a multiprotocol client library.
On MS-Windows platforms, cURL may load some system libraries
dynamically, on demand. However, the Windows function used for
that, namely LoadLibrary, defaults to an insecure search path,
including unprotected locations. This allows a user to plant a DLL
with the same name, as "ws2_32.dll", that the searched one. This
library will be found before the real one.
An attacker can therefore hijack the Winbdows DLL loading
mechanism as used by cURL, in order to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/cURL-code-execution-via-DLL-searching-19724