Uncontrolled search path element

ID

c.miscellaneous.dangerous_loadlibrary

Severity

low

Resource

Miscellaneous

Language

C / C++

Description

LoadLibrary is used to load DLLs dynamically and may be vulnerable to DLL hijacking. Attackers can exploit this by placing malicious DLLs in directories searched before the legitimate one. Use LoadLibraryEx with LOAD_LIBRARY_SEARCH flags, specify fully qualified paths, or use SetDefaultDllDirectories to control the search path.

Rationale

LoadLibrary is used to load DLLs dynamically and may be vulnerable to DLL hijacking. Attackers can exploit this by placing malicious DLLs in directories searched before the legitimate one. Use LoadLibraryEx with LOAD_LIBRARY_SEARCH flags, specify fully qualified paths, or use SetDefaultDllDirectories to control the search path.

The following code illustrates a vulnerable pattern detected by this rule:

void main() {
    // VULNERABLE: Uncontrolled search path element
    HMODULE hDLL = LoadLibrary("example.dll");
    if (hDLL != NULL) {
        ExampleFunc func = (ExampleFunc)GetProcAddress(hDLL, "ExampleFunction");
        if (func != NULL) {
            func();  // Call the loaded function
            printf("Function executed successfully.\n");
        } else {
            printf("Failed to get function address.\n");
        }
        FreeLibrary(hDLL);
    } else {
        printf("Failed to load DLL: %lu\n", GetLastError());
    }
    return 0;
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References