As in the release of Parched Go 1.26.5, the calling of RtlGenRandom (SystemFunction036) will cause unexpected DLL loading behaviour, even though loading advapi32.dll through LoadLibraryEx with search flag LOAD_LIBRARY_SEARCH_SYSTEM32, which had caused several security issues in other projects.
While calling RtlGenRandom (SystemFunction036) from advapi32.dll, the actual definition of the function is in cryptbase.dll, which requires a call forwarding from advapi32.dll. The expected behaviour should be advapi32.dll retaining the search path restriction in the same way that the search for the initial DLL did when calling cryptbase.dll. But it did not run like that in reality, the search path was not restricted when forwarding the call to cryptbase.dll, causing a DLL in the same directory of the executive binary with the name cryptbase.dll being loaded, instead of the DLL we expected from the operating system.
This should be considered as a security issue, as this unexpected behaviour will load a incorrect, corrupted, or even malicious DLL when the binary tries to get a cryptographic secure random number. For BCryptGenRandom, we can hardly find any similar reports like RtlGenRandom does.
Patches using BCryptgenRandom have been re-issued for patched Go, from Go 1.21 to Go 1.26.
- For users on Go 1.26, download releases from Go 1.26.5.
- For users on older major version of Go, download the latest source code from Go, download the re-issued patches, and patch the source code. Then you can copy the source code to a usable SDK making it a substitution package, or bootstrap it into a full usable SDK.
- Normally, download the patch named
go-1-xx.diff is enough for most of the situation.
- If you have systems that do not meet the required patch level (KB3125574 + KB4474419, or most updates before April 2016 + KB4474419), it is strongly recommended to download the corresponding patch
legacy-1-xx.diff alongside the go-1-xx.diff, and apply the legacy-1-xx.diff after applying go-1-xx.diff, which covers the problem from missing flags for LoadLibraryEx that may occur on some not well updated systems.
As in the release of Parched Go 1.26.5, the calling of
RtlGenRandom(SystemFunction036) will cause unexpected DLL loading behaviour, even though loadingadvapi32.dllthroughLoadLibraryExwith search flagLOAD_LIBRARY_SEARCH_SYSTEM32, which had caused several security issues in other projects.While calling
RtlGenRandom(SystemFunction036) fromadvapi32.dll, the actual definition of the function is incryptbase.dll, which requires a call forwarding fromadvapi32.dll. The expected behaviour should beadvapi32.dllretaining the search path restriction in the same way that the search for the initial DLL did when callingcryptbase.dll. But it did not run like that in reality, the search path was not restricted when forwarding the call tocryptbase.dll, causing a DLL in the same directory of the executive binary with the namecryptbase.dllbeing loaded, instead of the DLL we expected from the operating system.This should be considered as a security issue, as this unexpected behaviour will load a incorrect, corrupted, or even malicious DLL when the binary tries to get a cryptographic secure random number. For
BCryptGenRandom, we can hardly find any similar reports likeRtlGenRandomdoes.Patches using
BCryptgenRandomhave been re-issued for patched Go, from Go 1.21 to Go 1.26.go-1-xx.diffis enough for most of the situation.legacy-1-xx.diffalongside thego-1-xx.diff, and apply thelegacy-1-xx.diffafter applyinggo-1-xx.diff, which covers the problem from missing flags forLoadLibraryExthat may occur on some not well updated systems.