C Sharp Untrusted Dll Search Path
Description
Identifies unsafe external DLL loading declarations in C# code that could allow DLL search path hijacking. When static extern methods are used to load DLLs without specifying full paths, attackers may exploit Windows DLL search order to load malicious libraries from untrusted locations.
Detection Strategy
• Check for method declarations that have both 'extern' and 'static' access modifiers
• Verify the presence of modifier nodes in the method declaration syntax
• Report vulnerability when extern static methods are found since they may allow loading DLLs from unsafe locations
• Example of vulnerable code: [DllImport("user32.dll")] private static extern int MessageBox(...);
Vulnerable code example
using System;
using System.Runtime.InteropServices;
class Program {
// Vulnerable: Unvalidated DLL import can lead to DLL hijacking
[DllImport("The3rdAssembly.dll")]
public static extern void UnsafeFunction();
...✅ Secure code example
using System;
using System.Runtime.InteropServices;
class Program {
// Safe: Restrict DLL search paths to prevent DLL hijacking
[DllImport("The3rdAssembly.dll")]
[DefaultDllImportSearchPaths(DllImportSearchPath.System32 | DllImportSearchPath.SafeDirectories)]
public static extern void UnsafeFunction();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.