Skip to content

[IMPORTANT] Using BCryptGenRandom instead of RtlGenRandom to reduce the risk from indirect DLL hijacking #18

Description

@KobeArthurScofield

As in the release of Parched Go 1.26.5, the calling of RtlGenRandom (SystemFunction036) will cause unexpected DLL loading behaviour, even though loading advapi32.dll through LoadLibraryEx with search flag LOAD_LIBRARY_SEARCH_SYSTEM32, which had caused several security issues in other projects.

While calling RtlGenRandom (SystemFunction036) from advapi32.dll, the actual definition of the function is in cryptbase.dll, which requires a call forwarding from advapi32.dll. The expected behaviour should be advapi32.dll retaining the search path restriction in the same way that the search for the initial DLL did when calling cryptbase.dll. But it did not run like that in reality, the search path was not restricted when forwarding the call to cryptbase.dll, causing a DLL in the same directory of the executive binary with the name cryptbase.dll being loaded, instead of the DLL we expected from the operating system.

This should be considered as a security issue, as this unexpected behaviour will load a incorrect, corrupted, or even malicious DLL when the binary tries to get a cryptographic secure random number. For BCryptGenRandom, we can hardly find any similar reports like RtlGenRandom does.

Patches using BCryptgenRandom have been re-issued for patched Go, from Go 1.21 to Go 1.26.

  • For users on Go 1.26, download releases from Go 1.26.5.
  • For users on older major version of Go, download the latest source code from Go, download the re-issued patches, and patch the source code. Then you can copy the source code to a usable SDK making it a substitution package, or bootstrap it into a full usable SDK.
    • Normally, download the patch named go-1-xx.diff is enough for most of the situation.
    • If you have systems that do not meet the required patch level (KB3125574 + KB4474419, or most updates before April 2016 + KB4474419), it is strongly recommended to download the corresponding patch legacy-1-xx.diff alongside the go-1-xx.diff, and apply the legacy-1-xx.diff after applying go-1-xx.diff, which covers the problem from missing flags for LoadLibraryEx that may occur on some not well updated systems.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions