Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-09 Thread Tobias Rapp
Arno Garrels wrote: The DLL names are globally writable typed constants, set their values before the OpenSSL libraries are loaded. Is there any advantage to use writable typed constants like const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; instead of var GSSLEAY_DLL_Name : String =

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-09 Thread Arno Garrels
Tobias Rapp wrote: Arno Garrels wrote: The DLL names are globally writable typed constants, set their values before the OpenSSL libraries are loaded. Is there any advantage to use writable typed constants like const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; instead of var

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-07 Thread Angus Robertson - Magenta Systems Ltd
I prefer this anyway since the load errors don't raise somewhere but where I can handle them easily: I also log the SSL version and directory at the point, since multiple SSL DLLs may be available on the PC and like to know the expected versions are being used: MySslContext.InitContext;

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-06 Thread Zvone
const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; This is not required since writable typed constants is enabled. That's all fine but I don't see it published as property anywhere. How do I modify its value during runtime to set full path for SSLEAY32.DLL and LIBEAY32.DLL? -- To unsubscribe

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-06 Thread Francois PIETTE
const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; This is not required since writable typed constants is enabled. That's all fine but I don't see it published as property anywhere. How do I modify its value during runtime to set full path for SSLEAY32.DLL and LIBEAY32.DLL? So simple: Just

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-06 Thread Arno Garrels
Zvone wrote: const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; This is not required since writable typed constants is enabled. That's all fine but I don't see it published as property anywhere. How do I modify its value during runtime to set full path for SSLEAY32.DLL and LIBEAY32.DLL?

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-04 Thread Fastream Technologies
I think here is what we should do: - the OpsnSSL DLLs must be loaded only from process folder of the ICS-based-our-code-exe - before loading the DLLs, we must check for their presence in RAM and fire an exception in that case. Regards, SZ On Sat, Sep 4, 2010 at 10:29 AM, Francois PIETTE

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-04 Thread Zvone
Well, like I wrote, it effects all programs that use ICS. And it is a bit harder to find a solution that fits all in this case due to nature of the problem. This is how ICS loads for example SSLLEAY32.DLL: const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; ... GSSLEAY_DLL_Handle :=

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-04 Thread Zvone
Forget about my remark about \ or /. The DllPath could be used as is just DllPath + LibraryName. This avoids the need to process needlessly slashes or backslashes. If this is used I would suggest a bold remark in the docs on Wiki to encourage use of this property if this is to be used. Anyway,

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-04 Thread Francois PIETTE
middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Zvone pha...@gmail.com To: ICS support mailing twsocket@elists.org Sent: Saturday, September 04, 2010 3:44 PM Subject: Re: [twsocket] New DLL hijacking vulnerability

Re: [twsocket] New DLL hijacking vulnerability KB 2269637

2010-09-04 Thread Arno Garrels
Francois PIETTE wrote: const GSSLEAY_DLL_Name : String = 'SSLEAY32.DLL'; I think the solution is much simpler than what you think: Change const by var so that the DLL name is provided thru a global This is not required since writable typed constants is enabled. -- Arno Garrels -- To