cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows loads a different library or launches a different executable than was intended by the author of an InstallAnywhere setup launcher executable

Windows loads a different library or launches a different executable than was intended by the author of an InstallAnywhere setup launcher executable

Summary

Several issues can, under very specific conditions, cause Windows to load a different library or launch a different executable than was intended by the author of a setup launcher executable.

Synopsis

Several issues can, under very specific conditions, cause Windows to load a different library or launch a different executable than was intended by the author of a setup launcher executable.

Referencing a library by less than its full path. Example: requesting to load the library,
schannel.dll
instead of,
C:\Windows\System32\schannel.dll
This can cause a DLL Preloading issue. If there is a library with the name earlier in the search path than the intended library, the unintended library will be loaded.


Referencing an executable by less than its full path. Example: requesting to launch the executable,
wmplayer.exe
instead of,
?C:\Program Files\Windows Media Player\wmplayer.exe?
This can cause a Binary Planting issue. If there is an executable with the name wmplayer.exe earlier in the search path than the intended executable, the unintended executable will be launched.


Referencing an executable by its full path, but not quoting that full path when it contains space characters. Example: requesting to launch the executable,
C:\Program Files\Windows Media Player\wmplayer.exe
instead of,
?C:\Program Files\Windows Media Player\wmplayer.exe?
This can cause an Unquoted Path issue. If there is an executable with one of the following names (in quotes), that unintended executable will be launched instead of the intended executable. The other parts of the path will be mistaken as parameters:
?C:\Program.exe? Files\Windows Media Player\wmplayer.exe
?C:\Program Files\Windows.exe? Media Player\wmplayer.exe
?C:\Program Files\Windows Media.exe? Player\wmplayer.exe

This is usually called an Unquoted Service Path issue because even though a programmer can forget to put quotes around the path when launching any executable in any context, this happens most often when a setup author configures a service to be started by Windows and forgets to quote the service?s path.


Naming an executable setup.exe


Discussion

For a computer to be affected by these issues, an unauthorized person must (a) be able to place a library or executable on the computer, (b) choose the correct name of the library or executable, and (c) in some cases precisely time the placement.

If the unauthorized person?s access allows them to launch an executable with the privileges necessary for that executable to have its intended effect, they would simply launch that executable directly instead of using these methods to launch their library or executable indirectly.


InstallAnywhere Hotfix IOJ-1756928

This issue has been published as CVE-2016-4560.
Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallAnywhere Hotfix IOJ-1756928 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries.

Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable.

Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable.

InstallAnywhere Hotfix IOJ-1756928 may be downloaded from the following links:
Hotfix Installer for Windows
Hotfix Installer for Linux (32-bit)
Hotfix Installer for Linux (64-bit)
Hotfix Installer for Mac OS X
Hotfix Installer for Solaris Sparc

Additional Information

Labels (1)
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Nov 09, 2018 07:21 PM
Updated by: