DLLL HIJACKING Audacity 2.1.2

[steve]

you can make a user open a Audacity-Project on a Network Share with 3 simple clicks

That's not the same as loading a dll.
If I try to open a file that is actually a dll and not a project, all that happens is that Audacity gives an error message saying that it can't be opened because it's not a valid project.

[colebantam]

you can make a user open a Audacity-Project on a Network Share with 3 simple clicks

That's not the same as loading a dll.
If I try to open a file that is actually a dll and not a project, all that happens is that Audacity gives an error message saying that it can't be opened because it's not a valid project.

Yes, but as I have pointed out several times, when a user opens a project, Audacity loads several DLLs that are in the same folder as the project too. So, an attacker puts an Audacity project on a network share and makes Users open it. Next to the project is a malicious DLL. Audacity loads that DLL because it doesn't check its location and bang, the user (victim) runs code of the attacker on his machine.

[steve]

Audacity loads several DLLs that are in the same folder as the project too

I can't reproduce that.

[colebantam]

Audacity loads several DLLs that are in the same folder as the project too

I can't reproduce that.

What is your test-setup like?

[steve]

I'm on Linux, but I'd be interested to see a proof of concept on any platform.

[colebantam]

I'm on Linux, but I'd be interested to see a proof of concept on any platform.

Well, it's kind of obvious, that a DLL-Issue does not affect Linux
On Windows I have proven that its easy to embed a Link to a project which resides on a network share and make it possible for users to open the project with three clicks. I also provided evidence, that Audacity (on Windows) loads the DLLs from the remote Path. What I can't deliver is a hacked DLL that opens Calc.exe for example, as said, I'm not a developer. But do we really want to wait until someone comes up with a working Zero Day exploit?

[Gale Andrews]

Please, just post to audacity-devel or do nothing. Certainly, stop posting here. The developers won't see it here so you're wasting your time and everyone else's.


Gale

Network shares are assumed trusted, if it's a local network at home

Well, thats the point -> that is wrong. The Share on my Test was on a different network outside the Nat-Network of the Test-Client. You can simply test that on your own: Even if you have network sharing disabled, you should still be able to access this site:

\\live.sysinternals.com\Tools

Disabling the Network Sharing on Windows has only effect on your own shares, not on shares on other machines or shares on public hosts.

I think the developers really should be pointed to this, but only when Steve and Gale confirm/agree, that this is more then just a minor issue. Because the Dev's surely will listen much more to Steve/Gale, then to me

Greets, Claus

[steve]

I also provided evidence, that Audacity (on Windows) loads the DLLs from the remote Path.

You've only shown evidence that Audacity can open a remote project, which is a world of difference from dynamically linking to a remote library.
If you can demonstrate that Audacity is vulnerable to DLL hijacking on a machine that is not already compromised, then the developers would probably be interested in that, but to my knowledge, no such evidence exists. If a user is tricked into downloading a malicious library and placing it in the library path, then for all practical purposes that is no different from tricking a user into downloading a trojan executable, and the only remedy for that is to educate people to adopt safety aware on-line practice, as outlined on our website: http://www.audacityteam.org/download/on ... wnloading/

As Gale wrote, the developers do not read this forum, so the most that can be achieved by continuing to post here is to spread fear, uncertainty and doubt among users, when what is actually required is information and education about safe practice.

If you have new information regarding the security of Audacity, please contact our developers directly.

[Gale Andrews]

If you are in a coffee shop, the local network should be assumed untrusted and sharing should be disabled.

And just to add, setting the network to "public" will do that and turn off network discovery.


Gale

[colebantam]

Please, just post to audacity-devel or do nothing. Certainly, stop posting here. The developers won't see it here so you're wasting your time and everyone else's.

Well, it sadly seems that I really wasted my time
Two Persons and one Security Research Business couldn't manage to make you see the danger for Audacity Users on Windows, so seems like they will stay at risk for a long time