Notepad++ acknowledged this DLL hijack vulnerability:
https://wikileaks.org/ciav7p1/cms/page_26968090.html
I don't get from the description how it works. As a Notepad++ user I am concerned and as a developer myself I am curious too.
There is a general DLL hijack explanation here - What is dll hijacking?. A bit too general.
Does it mean that to effectively exploit this vulnerability the attacker has to first have control over my PC, using a different vector of attack, to plant a malicious version SciLexer.dll (?) into DLL search path?
If the attacker have already such power over my PC why he would bother with Notepad++. Why not to go after more core libraries or even system ones?
I also don't get implications of this remark in the WikiLeak text: For the life of me, I couldn't get this function [Scintilla_DirectFunction(..)] to be called. If this is the only exported function in that DLL, the only one called by Notepad core, how come that is is not called? That would mean also that malicious code would not be called either.
Was hacked SciLexer.dll ever actually detected, hacked by CIA or anyone else, or it is only a discovered possibility?
Also Notepad++ team in the latest release 7.3.3, in release notes claims that they "Fix CIA Hacking Notepad++ issue". Any ideas how they could do it?
A DLL hijacking attack is simple: Consider your download directory that contains many files.
If someone manages to make you download the manipulated SciLexer.dll dll it will be most likely be downloaded into your download directory. You don't do anything with the file after download, the file just remains where it has been downloaded.
Later you download a txt file from somewhere on the net and this file is also placed in the download directory.
If you now open the explorer and double click the downloaded txt file the current directory is the download directory. The dll hijack vulnerable Notepad++ version would then search for the SciLexer.dll file to be loaded in the current directory (which is now the download directory). Therefore Notepad++ would load the manipulated SciLexer.dll that you downloaded previously.
Regarding the fix you can look at the source code changes that fixes the bug.
It seems like the Nodepad++ team changed the way this dll is loaded and additionally they added a certificate check of the SciLexer.dll.
Related
I had a perfectly normal file. I downloaded pyinstaller, created a .exe with it, and wanted to share it. I uploaded it to dropbox, filehopper and one more (cant remember which) each time i tried to share it. Every single time, when i download the file to check if it works, my computer says trojan virus detected and quarantines the file. How do I fix/whats wrong??? TIA
This is not trouble with python or .exe - this is antivirus policy. If you want to distribute your app/program you need certificate. Or you can tell your clients to disable AV (very bad solution - your reputation and trust may be trashed). Best way is to redistribute python programs is as-is with .py or (if there is need for compiling) in source format - let the clients do rest of work - open source. If you need closed source app - you buy certificate.
We hold our landing page on Azure and it is for users to download an Android apk file. This landing page is a html file. Here is the markup for users to download:
download here
It all works fine until now. Users start to complain that the app they downloaded cannot work properly. But when we tested, it works fine.
Finally we find out that, although the link is
http://www.[mysite].com/android/[MyAndroidApp].apk
but sometimes when user click it, it goes to
http://101.44.1.131/cloud/223.210.55.28/files/9216...636//www.[mysite].com/android/[MyAndroidApp].apk
This is a buffer and holds an old version of our app!
Can anyone tell me why this happen and how can I prevent it buffer our old version?
How often do you update this apk file?
May be a caching issue, but not sure exactly.
Have you tried using Azure storage? Upload the file on there, and then link directly to it.
Should cost you less in the long run and not cause any buffering/cache issues
I would suggest you try to put version numbers after your filename. This is also a good practice for .js files. A problem is very often that it's cached and the cache not updated correctly. It's a general problem in the web.
So. Try to put version numbers after the file name, and let us know if this works.
Thank you all for your suggestions.
We have found the reason. Looking at the redirect url, it is actually some ISPs cached our apk files. They are doing this so that they can save themselves money and bandwidth. This is a common practice in some countries and is well documented.
How evil it is.
Our solution is thus change the file name very time we deploy a new version.
We have a Libraries folder where we keep third-party DLLs and our own utility DLLs for all applications to reference. I want to do development against one of our utility DLLs and an application that consumes it at the same time. But if I check out the library DLL to change it for temporary local use, TFS insists on checking it out exclusively, which trips other people up. I understand the reasoning behind it doing that (hard/impossible to merge a DLL, so two people shouldn't be working on one at the same time), but I just want to mess with my local copy while I'm working on the library it represents.
I suppose I could delete my application's reference to the DLL and recreate the reference pointing to some other place, but of course this just begs for me to forget and check it in like that, which would obviously be bad. Not to mention that this is a pain in the neck.
How should I proceed in such a situation?
You are using a server workspace that does not allow editing outwith TFS. In TFS 2012 local workspaces were introduced which do not have a read only flag for files and you are free to edit at will.
You can change your existing workspace in a few clicks: http://msdn.microsoft.com/en-us/library/bb892960.aspx
You could just go into the file system and mark the file as writeable. Once you are happy the binary is good you could check it out, copy the new version of the file over and check it back in again. TFS marks binary files like this as locked for good reason, as you can't merge them in the way you can with textual content.
The best approach would be to use a NuGet repository to manage your binary dependencies, instead of relying on binaries checked into source control.
On my webpage, I have placed a link to a local file (e.g. "text.docx" on my local HD). I would like to double click on this link, and have a third party software which is installed locally on my PC (e.g. Microsoft Word) open it.
I would like to be able to do this with Firefox and Google Chrome. Obviously, I am a newbie to web programming.. can somebody show me the way? I have looked around and had the impression that I need to write and add an extension, maybe?
Thanks for your time. Jakob
This is only possible if you know either the absolute path to the file or the relative path from whatever working directory your browser runs from. You the create a link with
href="file://relative/path/to/file/text.docx"
or
href="file:///absolute/path/to/file/text.docx"
and any modern browser will query the system database for the mimetype of the file depending on its extension, thus prompting to open the correct application.
EDIT
I inawarently introduced a unixism in the previous code: Distinction bewteen absolute and realtive paths as above works well on current *nix desktops, but in Windows an absolute path will most likely look like
href="file://C:/drive/absolute/path/to/test.docx"
Mind the 2 (not 3) slashes a the beginning, and the forward (not backward) slashes.
As far as I know, you can't link to local files from a website. If you upload it to where your files are, you could then be able to download it.
I was able to execute code locally, using Firefox, by adding an extension which used the XPCOM interface. One such extension was "commandrun", and may be found here: https://github.com/aabeling/commandrun .
I would like to start checking that the open source projects that I am using in my apps are what the developers released. I noticed that many projects have a SHA1 and MD5 digests presumably these can be easily tampered with for example if a hacker replaces the orginial zip file on a mirror they can also replace the .md5 and .sha1.
How can I check the integrity of third party open source libraries that I depend on?
I think , there is No trusted way for this, since the hacker may change the source files and its (md5 or sh1) files. He simply may replace the whole project with another one.
so , download the source from trusted sites such as sourceforg and code.google.com and codeproject and mirrors recommended by these sites.
typically an open source project, although open to all to download and modify themselves, the ability to actually change the uploaded files is restricted to certain individuals governed by the project owner.
A good example is https://github.com/thecodemine/formwizard, where you can see a read-only link, but cannot modify directly unless authorised.
However you can fork the project to your own account and modify as you wish, for example https://github.com/AlexKey/formwizard
I'm also guessig on large open source projects like linux distributions for example, even code / files uploaded by authorised individuals will also go through stringent reviews before official release.
A hacker of course on comprosising a system could change files at will, but this isn't a weakness of an opensource model but instead could be a problem for any project.
Also things like Code signing help detect unauthorised modification.
http://en.wikipedia.org/wiki/Code_signing
Code signing is the process of digitally signing executables and
scripts to confirm the software author and guarantee that the code has
not been altered or corrupted since it was signed by use of a
cryptographic hash.
You have not Googled your question. If you do so you'll get a lot of content about it. The link below will teach you how to check the integrity of a downloaded file.
https://help.ubuntu.com/community/HowToMD5SUM
You may also check the following link, which shows that it is very difficult to modify or replace the .md5 and .sh1 files.
Here's the link.