DLLL HIJACKING Audacity 2.1.2

[Gale Andrews]

With no installation of LAME or FFmpeg, and clean audacity.cfg for each test, I have now tested three setups.

1. Loading a project from a Linux machine on my local network.
2. Loading a project stored on my FTP server on the internet, where the server is a folder that appears on the computer as an unmapped "network location". This was created using "Map Network Drive" then not mapping, but following the instructions "Connect to a Web site that you can use to store your documents and pictures".
3. Loading a project stored on my FTP server on the internet, where the server is a mapped network drive with a drive letter. This allows accessing the project by internet UNC path "\\WINDOWS-10-PRO\<ftp server name>\httpdocs\dll\tone.aup"

In all cases, the folder containing the project also contains lame_enc.dll and avformat-55.dll.

In short, none of the scenarios loaded lame_enc.dll or avformat-55.dll into audacity.exe. I tried opening the project from File > Open... in Audacity, executing the AUP file from its folder, and executing Audacity at the command-line by calling the UNC path to the AUP file (for cases 1 and 3).


Gale

[colebantam]

As it seems like Gale and Steve are not able to reproduce the scenario so far, I decided to brake this up into two parts. First demonstrating that Audacity loads DLLs from the Project-Path, and keeping the Remote-Stuff for later when you both can reproduce this one. Honestly I'm super surprised that it didn't work on Steve's, because this works for me on a clean install of Windows 10 x64 (1703) with Audacity (and VBox Guest Addons) installed only, 100% every time I try. To demonstrate that I'm not dreaming, I captured a video showing all the steps.

And please don't bother me gain with "but in this scenario, an attacker would have to place the DLLs on the victims machine first". Yes, I know that. As said, its a simplified demonstration, and I'll dig into the remote stuff once Gale and Steve can reproduce this (local) one.

[steve]

I captured a video showing all the steps

I can't reproduce that on Linux because Audacity has been built with dynamic loading disabled.

I'd expect (but not tested) those steps to 'work' on Windows because you have launched Audacity from the Desktop, making that the "working directory", and you have placed the DLLs into that directory. Adding a file path parameter when launching Audacity does not set the working directory to that file path.

[colebantam]

Adding a file path parameter when launching Audacity does not set the working directory to that file path.

Sorry (for my poor english?), I don't understand what you want to tell me with that sentence. Its seems like that one of your sentences denies the other one. Because one line says "because you have launched Audacity from the Desktop, making that the 'working directory'" and then you write something that seems to tell the opposite "Adding a file path parameter when launching Audacity does not set the working directory to that file path". I'm confused...

[Gale Andrews]

I captured a video showing all the steps.

Using the steps (the shortcut to Audacity on the Desktop is not a required step), Audacity loads the three av* files, but not lame_enc.dll. The log shows Audacity does not see lame_enc.dll on the Desktop, only C:\WINDOWS\SYSTEM32\lame_enc.dll, which does not load because it does not have sufficient symbols. Please post the Audacity log (Help > Show Log...) so we can see where your lame_enc.dll is being loaded from.

Arbitrary DLL's such as twain_32.dll on the Desktop are not loaded.

The av* files are only loaded if I launch Audacity by double-clicking the AUP file.

The av* files are not loaded if I execute Audacity from wherever Audacity is, and then open the project, unless of course I put the av* files in the directory where Audacity is, in which case there is no need for the AUP file to be present to load the DLL's. This is the difference that Steve explained to you.

I see that if I put lame_enc.dll in the directory where Audacity is, LAME does load, as expected.


Gale

[colebantam]

Using the steps (the shortcut to Audacity on the Desktop is not a required step), Audacity loads the three av* files, but not lame_enc.dll. The log shows Audacity does not see lame_enc.dll on the Desktop, only C:\WINDOWS\SYSTEM32\lame_enc.dll, which does not load because it does not have sufficient symbols. Please post the Audacity log (Help > Show Log...) so we can see where your lame_enc.dll is being loaded from.

- The desktop shortcut to audacity is just used for convenience, of course I could have started it from the start menu too.
- On typical systems, there is no file "C:\WINDOWS\SYSTEM32\lame_enc.dll". If you delete (or temporarily rename) it, the "lame_enc.dll" from desktop should be loaded.

Here's the Logfile content:

18:44:58: Audacity 2.1.3
18:44:58: Trying to load FFmpeg libraries...
18:44:58: Trying to load FFmpeg libraries from system paths. File name is 'avformat-55.dll'.
18:44:58: Looking up PATH environment variable...
18:44:58: PATH = 'C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\xxxxxxx\AppData\Local\Microsoft\WindowsApps;'
18:44:58: Checking that '' is in PATH...
18:44:58: FFmpeg directory is in PATH.
18:44:58: Checking for monolithic avformat from 'avformat-55.dll'.
18:44:58: Fehler: Kann Symbol 'avutil_version' in der dynamischen Bibliothek nicht finden (Fehler 127: die angegebene Prozedur wurde nicht gefunden.)
18:44:58: Fehler: Kann Symbol 'avcodec_version' in der dynamischen Bibliothek nicht finden (Fehler 127: die angegebene Prozedur wurde nicht gefunden.)
18:44:58: avformat not monolithic
18:44:58: Loading avutil from 'avutil-52.dll'.
18:44:58: Loading avcodec from 'avcodec-55.dll'.
18:44:58: Loading avformat from 'avformat-55.dll'.
18:44:59: Actual avutil path C:\Users\xxxxxxx\Desktop\avutil-52.dll
18:44:59: Actual avcodec path C:\Users\xxxxxxx\Desktop\avcodec-55.dll
18:44:59: Actual avformat path C:\Users\xxxxxxx\Desktop\avformat-55.dll
18:44:59: Importing symbols...
18:44:59: All symbols loaded successfully. Initializing the library.
18:44:59: Retrieving FFmpeg library version numbers:
18:44:59: AVCodec version 0x373466 - 55.52.102 (built against 0x373466 - 55.52.102)
18:44:59: AVFormat version 0x372164 - 55.33.100 (built against 0x372164 - 55.33.100)
18:44:59: AVUtil version 0x344264 - 52.66.100 (built against 0x344264 - 52.66.100)
18:44:59: FFmpeg libraries loaded successfully.
18:46:45: Attempting to load LAME from system search paths
18:46:45: Loading LAME from lame_enc.dll
18:46:45: Actual LAME path C:\Users\xxxxxxx\Desktop\lame_enc.dll
18:46:45: LAME library successfully loaded

[colebantam]

I was wondering why it took so much longer for Lame to load than FFMpeg in the Logfile. I just realized, that Lame only loads when opening the Settings-Window. But FFMpeg DLLs are loaded immediately after opening the project without the need for any other user-input.

[Gale Andrews]

I was wondering why it took so much longer for Lame to load than FFMpeg in the Logfile. I just realized, that Lame only loads when opening the Settings-Window. But FFMpeg DLLs are loaded immediately after opening the project without the need for any other user-input.

It's FFmpeg, not FFMpeg.

LAME will attempt to load when you try to export an MP3 file, so the user does not need to open Preferences before exporting MP3.

If you look in one of your monitoring tools, you will also see that lame_enc.dll is only loaded while MP3 export is in progress, after which it is unloaded.


Gale

[colebantam]

So, Gale, can you confirm now, that both DLLs (Lame and FFmpeg) are loaded from the project-path when opening a project-file from Explorer/Desktop on your test-setup?
(with no lame_enc.dll existing in system32-folder)

[Gale Andrews]

- On typical systems, there is no file "C:\WINDOWS\SYSTEM32\lame_enc.dll". If you delete (or temporarily rename) it, the "lame_enc.dll" from desktop should be loaded.

Here's the Logfile content:

18:44:58: Audacity 2.1.3
18:44:58: Trying to load FFmpeg libraries...
18:44:58: Trying to load FFmpeg libraries from system paths. File name is 'avformat-55.dll'.
18:44:58: Looking up PATH environment variable...
18:44:58: PATH = 'C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\xxxxxxx\AppData\Local\Microsoft\WindowsApps;'
18:44:58: Checking that '' is in PATH...
18:44:58: FFmpeg directory is in PATH.
18:44:58: Checking for monolithic avformat from 'avformat-55.dll'.
18:44:58: Fehler: Kann Symbol 'avutil_version' in der dynamischen Bibliothek nicht finden (Fehler 127: die angegebene Prozedur wurde nicht gefunden.)
18:44:58: Fehler: Kann Symbol 'avcodec_version' in der dynamischen Bibliothek nicht finden (Fehler 127: die angegebene Prozedur wurde nicht gefunden.)
18:44:58: avformat not monolithic
18:44:58: Loading avutil from 'avutil-52.dll'.
18:44:58: Loading avcodec from 'avcodec-55.dll'.
18:44:58: Loading avformat from 'avformat-55.dll'.
18:44:59: Actual avutil path C:\Users\xxxxxxx\Desktop\avutil-52.dll
18:44:59: Actual avcodec path C:\Users\xxxxxxx\Desktop\avcodec-55.dll
18:44:59: Actual avformat path C:\Users\xxxxxxx\Desktop\avformat-55.dll
18:44:59: Importing symbols...
18:44:59: All symbols loaded successfully. Initializing the library.
18:44:59: Retrieving FFmpeg library version numbers:
18:44:59: AVCodec version 0x373466 - 55.52.102 (built against 0x373466 - 55.52.102)
18:44:59: AVFormat version 0x372164 - 55.33.100 (built against 0x372164 - 55.33.100)
18:44:59: AVUtil version 0x344264 - 52.66.100 (built against 0x344264 - 52.66.100)
18:44:59: FFmpeg libraries loaded successfully.
18:46:45: Attempting to load LAME from system search paths
18:46:45: Loading LAME from lame_enc.dll
18:46:45: Actual LAME path C:\Users\xxxxxxx\Desktop\lame_enc.dll
18:46:45: LAME library successfully loaded

I don't have "C:\WINDOWS\SYSTEM32\lame_enc.dll", but the referenced file is in C:\Windows\SysWOW64.

As you can see by the log below when that lame_enc.dll exists, Audacity makes no attempt to load LAME from the Desktop:

Code: Select all

20:26:00: Attempting to load LAME from system search paths
20:26:00: Loading LAME from lame_enc.dll
20:26:00: Actual LAME path C:\WINDOWS\SYSTEM32\lame_enc.dll
20:26:00: Error: Couldn't find symbol 'get_lame_version' in a dynamic library (error 127: the specified procedure could not be found.)
20:26:00: Error: Couldn't find symbol 'lame_encode_buffer' in a dynamic library (error 127: the specified procedure could not be found.)
20:26:00: Error: Couldn't find symbol 'lame_set_in_samplerate' in a dynamic library (error 127: the specified procedure could not be found.)
[...]
20:26:00: Failed to find a required symbol in the LAME library.
20:26:00: Attempting to load LAME from builtin path
20:26:00: LAME registry key exists.
20:26:00: Library path is: C:\Program Files (x86)\Lame For Audacity
20:26:00: Loading LAME from C:\Program Files (x86)\Lame For Audacity\lame_enc.dll
20:26:00: Error: Failed to load shared library 'C:\Program Files (x86)\Lame For Audacity\lame_enc.dll' (error 126: the specified module could not be found.)
20:26:00: load failed
20:26:00: (Maybe) ask user for library
20:26:00: Failed to locate LAME library

So that looks like a bug there. I would expect Audacity to find lame_enc.dll on the Desktop rather than give up.

Yes, Audacity loads lame_enc.dll from the Desktop if C:\Windows\SysWOW64\lame_enc.dll is removed.

None of this gets us anywhere we have not visited before, does it?


Gale