oss-sec mailing list archives
DLL injection in Go < 1.12.2 [CVE-2019-9634]
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Tue, 9 Apr 2019 02:26:07 +0200
Hey folks, Golang before 1.12.2 linked against various DLLs that were same-directory injectable and generally its library loading mechanism did not use LoadLibraryEx, allowing the classic DLL injection attacks, especially with regards to executables saved to the Downloads/ folder [1]. It was assigned CVE-2019-9634 and fixed in [2] and [3]. It wasn't mentioned in the 1.12.2 release notes, so I'm mentioning it here instead. Jason [1] https://user-images.githubusercontent.com/10643/53921755-eb9e1a00-4071-11e9-83a7-058ceb008e55.gif [2] https://github.com/golang/go/commit/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c [3] https://github.com/golang/sys/commit/10058d7d4faa7dd5ef860cbd31af00903076e7b8
Current thread:
- DLL injection in Go < 1.12.2 [CVE-2019-9634] Jason A. Donenfeld (Apr 08)