Mitigate .local DLL redirection Windows bug.

Author: barnson

src/burn/stub/precomp.h

@@ -9,6 +9,7 @@
 
 #include <dutil.h>
 #include <apputil.h>
+#include <dirutil.h>
 #include <strutil.h>
 #include <fileutil.h>
 #include <pathutil.h>

src/burn/stub/stub.cpp

@@ -2,6 +2,10 @@
 
 #include "precomp.h"
 
+static const HRESULT E_SUSPECTED_TAMPERING = MAKE_HRESULT(SEVERITY_ERROR, 500/*FACILITY_WIX*/, 2001);
+
+static void AvoidLocalDllRedirection(LPCWSTR wzPath);
+
 
 int WINAPI wWinMain(
     __in HINSTANCE hInstance,
@@ -52,6 +56,8 @@ int WINAPI wWinMain(
         AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls));
     }
 
+    AvoidLocalDllRedirection(sczPath);
+
     // call run
     hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode);
     ExitOnFailure(hr, "Failed to run application.");
@@ -63,3 +69,23 @@ int WINAPI wWinMain(
 
     return FAILED(hr) ? (int)hr : (int)dwExitCode;
 }
+
+static void AvoidLocalDllRedirection(LPCWSTR wzPath)
+{
+    LPWSTR sczLocalPath = NULL;
+    HMODULE hmodComCtl = NULL;
+
+    // Bail if there's a <bundle>.exe.local directory, as it's a feature of
+    // DLL redirection that has no real use for a bundle and is a hole for
+    // DLL hijacking attacks.
+
+    if (FAILED(StrAllocFormatted(&sczLocalPath, L"%ls.local", wzPath))
+        || DirExists(sczLocalPath, NULL)
+        || FileExistsEx(sczLocalPath, NULL)
+        || FAILED(LoadSystemLibrary(L"Comctl32.dll", &hmodComCtl)))
+    {
+        ::ExitProcess((UINT)E_SUSPECTED_TAMPERING);
+    }
+
+    ReleaseStr(sczLocalPath);
+}

src/burn/stub/stub.vcxproj

@@ -63,6 +63,7 @@
       <SwapRunFromCD>true</SwapRunFromCD>
       <SwapRunFromNET>true</SwapRunFromNET>
       <DelayLoadDLLs>cabinet.dll;crypt32.dll;msi.dll;shlwapi.dll;userenv.dll;version.dll;wininet.dll;wintrust.dll</DelayLoadDLLs>
+      <AdditionalOptions>/DEPENDENTLOADFLAG:0x800 %(AdditionalOptions)</AdditionalOptions>
     </Link>
   </ItemDefinitionGroup>