Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2067

Facter tries to load dlls from the current working directory

    Details

    • Template:
    • Team:
      Platform OS
    • CVE-ID:
      CVE-2018-6514
    • Sprint:
      Platform OS Kanban
    • Method Found:
      Needs Assessment
    • Release Notes:
      Security Fix
    • Release Notes Summary:
      Facter no longer loads dependent dlls from its current working directory.
    • QA Risk Assessment:
      Needs Assessment

      Description

      When running facter as an administrator, it will try to load dlls from its current working directory, eg C:\leatherman_nowide.dll, before searching its PATH.

      When running as a service, the current working directory is set to a trusted directory C:\Windows\System32. But when running facter or puppet interactively as an admin, eg puppet agent -t, then it will use the current working directory:

      7:21:31.6283415 PM	facter.exe	4380	Load Image	C:\Program Files\Puppet Labs\Puppet\facter\bin\libfacter.so	SUCCESS	Image Base: 0x604a0000, Image Size: 0x3c4000
      7:21:31.6291490 PM	facter.exe	4380	CloseFile	C:\Program Files\Puppet Labs\Puppet\facter\bin\libfacter.so	SUCCESS	
      7:21:31.6292254 PM	facter.exe	4380	QueryOpen	C:\Program Files\Puppet Labs\Puppet\facter\bin\leatherman_nowide.dll	NAME NOT FOUND	
      7:21:31.6294931 PM	facter.exe	4380	QueryOpen	C:\leatherman_nowide.dll	NAME NOT FOUND	
      7:21:31.6295419 PM	facter.exe	4380	QueryOpen	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	SUCCESS	CreationTime: 4/18/2018 4:46:06 PM, LastAccessTime: 5/31/2018 5:21:26 PM, LastWriteTime: 4/18/2018 4:46:06 PM, ChangeTime: 5/31/2018 5:21:26 PM, AllocationSize: 77,824, EndOfFile: 77,373, FileAttributes: A
      7:21:31.6295896 PM	facter.exe	4380	CreateFile	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	SUCCESS	Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
      7:21:31.6296088 PM	facter.exe	4380	CreateFileMapping	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	FILE LOCKED WITH ONLY READERS	SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
      7:21:31.6296429 PM	facter.exe	4380	CreateFileMapping	C:\Program Files\Puppet Labs\Puppet\puppet\bin\leatherman_nowide.dll	SUCCESS	SyncType: SyncTypeOther
      

      This is documented Microsoft behavior in https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx. Note we search for leatherman_nowide.dll in the same directory as libfacter.so was loaded, and then fallback to the current working directory, before trying other directories in our PATH.

      But we should restrict the search path using SetDllDirectory and friends, or move all of the exe/dlls into a common directory.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  josh Josh Cooper
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support