Pete Shanahan's Shack

Shock! Horror! Bug found where Windows applications will open DLLs that are in the current working directory of a process!

Except it’s not a bug. It’s by design, and it’s existed since NT.

Microsoft is being smacked in the head by a required feature of Windows due to the initial weakness of the LoadLibrary call. If you don’t specify a path to the file to load, it uses the standard library search path.

Dear god, you would think that this was news. It is not news, nor has it been since the goddamned operating system shipped. Granted, the issue is severe, but the fact of the matter is if an application is executed using a working directory that isn’t under your control, then what can you do? if there are libraries in the same directory that launched the program that happen to share the name of system libraries then you’re hosed.

Hey, guess what asshole, if you link a linux binary with a search path containing ‘.’, then you get the same problem. It’s just as well that nobody links their binaries with -R. …. eh?

The documentation is blatant in this regard. I’ve known it was a security issue since I first learned of the LoadLibrary call, as any even half decent developer should have known when they started using the damned function.

The rule is simple. Resolve the full path to a library before you load it. Validate that it ‘looks right’ at that point. Then load it.

BTW .init section in .so files – so totally a security hole. You can’t dlopen a file to determine if it’s good without executing the .init code. Game over man, game f**king over!

My .init code does a setenv(“LD_LIBRARY_PATH”, “.” + getenv(“LD_LIBRARY_PATH”)) … now piss off and write secure code for once…

This advice is for Microsoft Virtual PC. When you use software like VMWare, it automatically allows the host to connect directly to the client using the virtual interfaces that have been created.

Most of the recommendations with regard to connection to/from the Virtual PC client recommend configuring the connection to share/bridge one of the network connections.

All very good and well when you’re on a network. I regularly use the system when I have no network available – i.e. I’m completely disconnected. Most of the connection sensing code for network adaptors prevent you from using it while it’s not active, plus I don’t like having to configure the connection manually and then reconfigure it when I’ve got a real network.

The simple solution is to add a Microsoft Loopback Adaptor to the host machine, then create a second network interface on the Virtual PC that uses this interface. Manually configure the IP addresses to be on the same private network, making sure that you don’t accidentally configure it to use an IP address range that you may end up using for a VPN connection.

1. Add the Network Adaptor: XP, Vista, Windows 7
2. Configure the IP address manually. Use a Private Address Range. I chose an IP address of 10.125.1.1 with a netmask of 255.255.255.0 for the host, then chose 10.125.1.2 for the Virtual machine. XP, Vista, Windows 7 – Use the instructions for Vista.
3. Shutdown the Virtual Machine, Don’t hibernate as you can’t add the second network interface.
4. Edit the properties of the virtual machine (in the Virtual Machines folder). Either Right Click on the Virtual Machine Icon, or use the Settings Option in the menu bar.
   
5. Configure the network to have 2 interfaces, one of which is linked to the ‘Microsoft Loopback Adaptor’
   
6. Boot up the virtual machine, and follow the instructions for manually configuring the IP address of this new network interface.

Direct connections to the IP address of the client virtual machine now work, and you can use it for anything you want.

Following the instructions here, even if they’re confusing, once you add a dword key called ‘*NdisDeviceType’, with a value of 1, you don’t see the connection as an unknown connection; thus enabling sharing and other features in Vista, Win 7.

It’s not difficult to set environment variable in Windows. System level variables are stored in HKLM/System/CurrentControlSet/Control/Session Manager/Environment. User level variables are stored in HKCU/Environment. They are either REG_SZ or REG_EXPAND_SZ variables. REG_EXPAND_SZ values use other environment variables to get their ultimate value, while REG_SZ values are considered ‘final destination’ variables.

The issue arises when you programmatically change the value and want it reflected in new programs that are launched. You make your changes in the registry, but none of the newly launches applications notice the change. You need to inform all the running applications that the settings have been changed. To do this you send a WM_SETTINGCHANGE message to all the running applications.

The logic is to issue a SendMessage(HWND_BROADCAST, WM_SETTINGCHANGE, 0, (LPARAM)"Environment"). As the meerkat in the advertisement says ‘Seemples’. Unfortunately, I have a couple of applications with badly written message processing loops which don’t defer to DefWndProc if they don’t handle the message, which causes this function to hang.

The more sensible logic is to use a SendMessageTimeout call, which has 2 extra parameters, one of which is a flag and the other is a timeout in milliseconds. The timeout is a maximum per window, which means that if there are 10 windows causing timeouts and you’re issuing it with a 1000 milli-second (1 second) timeout, then you will be stalled for 10 seconds. You have been warned. Most applications should respond in < 100 milli-seconds, and typically there are only a few badly behaved applications.

This brings us to the code. It’s short, and it’s C and it doesn’t do anything fancy at all. Compiled using MinGW as gcc -mwindows settings.c -o settings.exe

#include <windows.h>

int APIENTRY WinMain(HINSTANCE hInstance,
  HINSTANCE hPrevInstance,
  LPSTR lpCmdLine,
  int nCmdShow)
{
    DWORD output;
    SendMessageTimeout(HWND_BROADCAST, WM_SETTINGCHANGE, 0,
      (LPARAM)"Environment", SMTO_BLOCK, 100, &output);
    return (0);
}

Set a variable in the registry. Pop up a cmd window and issue a set command and the change is not reflected in the window. Close the window, run the settings program compiled above, then launch another cmd window and it will now reflect the change to the environment you made in the registry.

The message causes Explorer to re-read the environment, which is why newly launched programs see the changes. You are launching your applications from explorer (the start menu, icons on the desktop, the run menu) for the most part.

Oh get over yourself! I do not need to install the music management software on my computer and not having it installed is not the end of the world. It’s almost as bad as the apple updater suggesting you install Safari. Mind you, it’s nowhere near as annoying about it, and it doesn’t suggest that the world will end if you don’t download it (but, you know, it just might…)

Apparently, it needed to install a security update. I don’t believe I’m using any flash applications that would keep the player in use, so why the pathetic dialog on the left after I installed it? This is one of those cases where pushing through the update makes more sense. As it is this only tells me that I need to reboot my computer to be safe from ‘flash viruses‘.

Is it that the flash component is so embedded in the operating system that updating it requires a reboot? If that’s the case then why? it’s only a little thing for displaying animations; not the end of the fricking world.

It’s great. simply prettier and a lot more usable than Firefox 2. The awesome bar (the address bar) kicks ass. Much easier to use than the previous one. Bookmark management has been improved. The look and feel is nicer. I even ‘kind of‘ prefer the subtle dialog box improvement which turns up at the top of the form, which is like a wide series of websites that perform the same thing themselves.

This definitely has replaced my web browsers in Windows and Linux. There’s a very high chance that it will replace Safari on the Mac. The only niggle I have is that it doesn’t store your passwords in the Mac keychain, which I still feel is the better place to have them.

Damn the electric fence…

Every time you reinstall vmware it seems to recreate your network interfaces, and at the same time reassigns the ip addresses that you had set up. If you want to move them then you need to edit a file and a couple of registry entries.

The first file is %APPDATA%\VMware\vmnetdhcp.conf. On XP it’s normally C:\Documents and Settings\All Users\Application Data, Under Vista that’s C:\ProgramData. Note, however that when UAC is enabled, this folder experiences redirection on write by unprivileged users, so editing this file as an ordinary user will have no effect, so make sure that you use a privileged editor when altering this file.

The content you want to change are the Subnet and Range entries to match your original subnet entries you had. You can also put in entries for the domain-name and router. When you add this information it gives you the ability to mark a the subnet as identified under Vista, so you can be in an identified network, and thus be discoverable. Please note that doing this and then putting an insecure OS on the client vm is your own fault.

The other entries that need to be altered are in the registry. The first one is HKLM\Software\VMware, Inc.\VMnetLib\VMnetConfig\vmnet? entries – the IPSubnetAddress entry needs to be changed to match the entries that you set in the .conf file. The next one is a little bit tricky – it’s HKLM\SYSTEM\CurrentControlSet\Services\VMnetDHCP\Parameters\VirtualEthernetSegments\?, the value is HostIpAddress – and it needs to be mapped. The value is a endian-reversed representation of your address so if your ip address is 192.168.22.1 the value would be 0x0116A8C0, C0==192, a8==168, 16=22, 01=01. Use Calc to get the values that you should put in there.

Restart the service “vmware dhcp service”, and then you should be OK.

For some reason even though I explicitly un-check the ‘apple software update’ option when installing either itunes or the bonjour service I am unsurprised to find that it has been installed.

Along with the quicktime icon in the notification area. Please respect my wishes to keep my notification area clear. It’s already cluttered with the detritus of outlook, pidgin, vmware, creative X-fi, hotsync, sync manager, bluetooth, quickset, virtual daemon manager, the power status, network status, volume and the sidebar. At least I can switch off clock, volume, network and power if I so choose, and they respect my authoritay.

The network interfaces that get configured by vmware always fall into the ‘unidentified realm’. The reason seems to be tied to the lack of a router or default gateway entry for the address.

So we cheat, and add in a router entry for the networks that is the same as the IP address of the connection and bingo, you get the option to put it into another network and give it a label! So I put both the VMware network interfaces and the Microsoft loopback interface into a group called ‘local only’, and providing I don’t use any grotty windows virtual machines, it should service me well. Of course, this is all purely academic for those who don’t use vista

I’m replaying network traffic at 1000 packets per second into a vmware client that’s hosted on a vista machine. It’s losing quite a few packets. the Vista OS does not appear to be losing the packets, they are simple missing on the guest operating system. This is a lot like crap, really.