[PA-2067] Facter tries to load dlls from the current working directory - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: puppet-agent 1.10.13, puppet-agent 5.3.7, puppet-agent 5.5.2
Component/s: None
Labels:
- packaging
- sadness
- security
- windows

Team:
Platform OS
CVE-ID:
CVE-2018-6514
Sprint:
Platform OS Kanban
Method Found:
Needs Assessment

Release Notes:
Security Fix
Release Notes Summary:
Facter no longer loads dependent dlls from its current working directory.

QA Risk Assessment:
Needs Assessment

Description

When running facter as an administrator, it will try to load dlls from its current working directory, eg C:\leatherman_nowide.dll, before searching its PATH.

When running as a service, the current working directory is set to a trusted directory C:\Windows\System32. But when running facter or puppet interactively as an admin, eg puppet agent -t, then it will use the current working directory:

7:21:31.6283415 PM	facter.exe	4380	Load Image	C:\Program Files\Puppet Labs\Puppet\facter\bin\libfacter.so	SUCCESS	Image Base: 0x604a0000, Image Size: 0x3c4000

7:21:31.6291490 PM	facter.exe	4380	CloseFile	C:\Program Files\Puppet Labs\Puppet\facter\bin\libfacter.so	SUCCESS

7:21:31.6292254 PM	facter.exe	4380	QueryOpen	C:\Program Files\Puppet Labs\Puppet\facter\bin\leatherman_nowide.dll	NAME NOT FOUND

7:21:31.6294931 PM	facter.exe	4380	QueryOpen	C:\leatherman_nowide.dll	NAME NOT FOUND

7:21:31.6295419 PM	facter.exe	4380	QueryOpen	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	SUCCESS	CreationTime: 4/18/2018 4:46:06 PM, LastAccessTime: 5/31/2018 5:21:26 PM, LastWriteTime: 4/18/2018 4:46:06 PM, ChangeTime: 5/31/2018 5:21:26 PM, AllocationSize: 77,824, EndOfFile: 77,373, FileAttributes: A

7:21:31.6295896 PM	facter.exe	4380	CreateFile	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	SUCCESS	Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened

7:21:31.6296088 PM	facter.exe	4380	CreateFileMapping	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	FILE LOCKED WITH ONLY READERS	SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE

7:21:31.6296429 PM	facter.exe	4380	CreateFileMapping	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	SUCCESS	SyncType: SyncTypeOther

This is documented Microsoft behavior in https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx. Note we search for leatherman_nowide.dll in the same directory as libfacter.so was loaded, and then fallback to the current working directory, before trying other directories in our PATH.

But we should restrict the search path using SetDllDirectory and friends, or move all of the exe/dlls into a common directory.

Attachments

Issue Links

is supported by

PA-2069 puppet-agent gem version regressions in puppet-runtime

Closed

Activity

People

Assignee:: Josh Cooper

Reporter:: Josh Cooper

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018/05/31 12:35 PM

Updated:: 2018/06/13 9:44 AM

Resolved:: 2018/06/06 1:12 PM