1. Ranjiv Sharma
  2. PowerBuilder
  3. Wednesday, 22 December 2021 09:03 AM UTC

Hi Everyone,

What can be done to avoid DLL hijacking for a Powerbuilder application in a Windows environment.

Files may be signed using Microsoft sign tool but this will not protect from hijacking unless you somehow use verify to check the 

files but I am not sure how feasible this would be.

Any ideas there are functions like LoadlibraryEx (specify path and file) but how would this work in a PB environment and would it be feasible ?

Thanks,

Ranj.

Also on the security tab of a project, I can use the following which means the application must Authenticode signed

 

Allow access to protected system UI

Select if the application needs to drive input to higher privilege windows on the desktop, such as an on-screen keyboard. Microsoft provides this setting for user interface Assistive Technology (Section 508) applications.

Note
If you check this box, the application must be Authenticode signed and must reside in a protected location, such as \Program Files\ or \windows\system32\.

 

 

 

 

 

 

Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Wednesday, 22 December 2021 16:54 PM UTC
  2. PowerBuilder
  3. # 1

Hi Ranjiv,

Just use the the new PowerClient deployment option of PowerBuilder 2021.  It verifies the hash values to reduce chance your app can be hijacked.  https://www.appeon.com/products/power-client

Best regards,
Armeen

Comment
  1. Ranjiv Sharma
  2. Tuesday, 11 January 2022 09:39 AM UTC
Hi Armeen,



I have tried Powerclient is works fine. However I cant use Powerclient yet thats why Im using manifest and Authenticode. My question is about the prorected location , it does not seem to be enforced, can you confirm if it is supposed to do that or it does not do it anymore ?



Thanks,

Ranjiv.
  1. Helpful
  1. Armeen Mazda @Appeon
  2. Tuesday, 11 January 2022 15:46 PM UTC
I'm not aware that PowerBuilder itself enforces any such thing you say. The Windows OS version and configuration would dictate this. So as I mentioned, I suggest you test it out.
  1. Helpful
  1. Ranjiv Sharma
  2. Thursday, 10 February 2022 10:36 AM UTC
Hi Armeen,



Yes I have tested it. I dont think the Powerbuilder documentation is correct:

"If you check this box, the application must be Authenticode signed and must reside in a protected location, such as \Program Files\ or \windows\system32\."

The above is not enforced I can run the application in a non protected area such as C:\TEMP\testpbmanifest



on the security tab of a project, I can use the following which means the application must Authenticode signed



Allow access to protected system UI

Select if the application needs to drive input to higher privilege windows on the desktop, such as an on-screen keyboard. Microsoft provides this setting for user interface Assistive Technology (Section 508) applications.

Note

If you check this box, the application must be Authenticode signed and must reside in a protected location, such as \Program Files\ or \windows\system32\.
  1. Helpful
There are no comments made yet.
Stuart Macandrew Accepted Answer Pending Moderation
  1. Thursday, 23 December 2021 02:36 AM UTC
  2. PowerBuilder
  3. # 2

Is this a real or a hypothetical threat?

If you are deploying your application with an installer, then your application is placed in an administrator controlled location (some location under program files). An attacker cannot just "replace mystuff.dll" without first elevating to admin privilege.

If the attacker has no admin credentials and your application is securely installed, then there is no threat.

If your application is not securely installed, then review and fix your install strategy.

If the attacker has admin credentials and can elevate then - well the scenario you outline is the least of your security issues.

Comment
  1. Armeen Mazda @Appeon
  2. Thursday, 10 February 2022 15:51 PM UTC
SolarWinds attack was hijack example.
  1. Helpful
There are no comments made yet.
David Peace (Powersoft) Accepted Answer Pending Moderation
  1. Wednesday, 22 December 2021 14:27 PM UTC
  2. PowerBuilder
  3. # 3

Hi Ranj

What DLLs are you specifically talking about?

If you are refering to the PBDs then there is not a lot you can do. We do not compile with PBDs and compile everything into the EXE file in order to eliminate this issue.

If you are refering to 3rd party DLLs then perhaps someone with more knowledge that me can advise.

Cheers

David

 

Comment
There are no comments made yet.
Ranjiv Sharma Accepted Answer Pending Moderation
  1. Wednesday, 22 December 2021 14:36 PM UTC
  2. PowerBuilder
  3. # 4

Hi David,

I'm talking about the application dlls that are built and deployed from powerbuilder.

if i have a library called mystuff.pbl and I build my app and will have a resulting mystuff.dll then in the application directory I could replace the mystuff.dll

with a rogue version and hijack some functionality.

Thanks,

Ranj.

 

 

 

Comment
  1. Ranjiv Sharma
  2. Thursday, 6 January 2022 13:25 PM UTC
How do we raise a request for this ? "Perhaps they could be persuaded to add that functionality to the EXE/DLL build process?"
  1. Helpful
  1. Roland Smith
  2. Thursday, 6 January 2022 13:56 PM UTC
Having the encryption of application files feature from cloud apps added to standard desktop would be a good idea. Send an email to product@appeon.com which is the product manager.
  1. Helpful
  1. Ranjiv Sharma
  2. Thursday, 6 January 2022 13:58 PM UTC
Thankyou
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.