Opened 7 years ago
Last modified 7 years ago
#16901 new defect
Non-driver certificates not handled correctly by hardening (OpenText SOCKS) — at Version 3
| Reported by: | Lars Hupfeldt | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox 5.1.22 |
| Keywords: | Cc: | ||
| Guest type: | Linux | Host type: | Windows |
Description (last modified by )
I had originally raised an issue with OpenText socks that theri DLL was not signed and so did not work with VirtualBox. They have now provided a signed version, but it is not signed with a driver certificate. According to OpenText support VirtualBox is not handling the signing check correctly. Some of my correspondance with OpenText support pasted below.
Hello Lars,
In regards to ticket #3056978, I received input from Engineering. This issue appears to be related to the third party application.
According to Engineering: If you used signtool, it would show DLL is properly signed. Note, using the default option, will show a trust error because the default assumes driver signing and this is a not a driver with signed catalog file. You need to use /pa argument for the signing to show as valid. Since you use SigCheck (Sysinternals), you do not need to use any parameters to show the DLL is signed
C:\Users\xx>sigcheck64 "c:\Program Files\Open Text\SOCKS Client\*" > C:\xx\sigcheck_socks.14.0.16.txt
(Refer to the output in the attached file.)
The root issue is that Virtualbox process will have HumSOCKS.dll injected into its process space (this is simply how SOCKS works on Windows). On startup it does a complicated self-validation on itself and all loaded DLLs in the main process space. Essentially the rules force that all DLLs need to be signed properly (or a couple of other exceptions for specific location and owner of file). It appears that their code fails the same way that signtool does without the /pa flag and ultimately will not start up when we are in their process space because of that. In one sense this is correct behavior because there's no signed catalog file for us at all but it's definitely unwanted because it should not apply that logic for 3rd party dlls that are not drivers.
This appears to be a long standing issue with VirtualBox - check out https://www.virtualbox.org/ticket/13659. The corrupted path it starts out as is not a problem for us but the exact same issue with failed trust for a correctly signed DLL is the main issue left.
Regards, OpenText Support
To: support@… Subject: Re: FW: OTCS Ticket 3056978 Socks 14: VirtualBox does not work when SocksClient is installed
Hi, I have tried your recommendation of importing the certificate. I also tried disabling the virus scanner. I also tried importing the intermediate certificate and tried loosening some policy settings, but nothing solves the problem. SHA-256 certificates show up fine in Windows and the patch required for support is installed. The error I'm getting in the VBoxHardening.log is:
14a4.1a9c: supHardenedWinVerifyImageByHandle: -> -23021 (\Device\HarddiskVolume1\Program Files\Open Text\SOCKS Client\HumSOCKS.dll) WinVerifyTrust 14a4.1a9c: Error (rc=0): 14a4.1a9c: supR3HardenedScreenImage/LdrLoadDll: rc=Unknown Status -23021 (0xffffa613) fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskVolume1\Program Files\Open Text\SOCKS Client\HumSOCKS.dll: None of the 1 path(s) have a trust anchor.: \Device\HarddiskVolume1\Program Files\Open Text\SOCKS Client\HumSOCKS.dll 14a4.1a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume1\Program Files\Open Text\SOCKS Client\HumSOCKS.dll 14a4.1a9c: Error (rc=0): 14a4.1a9c: supR3HardenedMonitor_LdrLoadDll: rejecting 'C:\Program Files\Open Text\SOCKS Client\HumSOCKS.dll' (C:\Program Files\Open Text\SOCKS Client\HumSOCKS.dll): rcNt=0xc0000190 14a4.1a9c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000190 'C:\Program Files\Open Text\SOCKS Client\HumSOCKS.dll'
Change History (4)
by , 7 years ago
| Attachment: | sigcheck_socks.14.0.16.txt added |
|---|
comment:1 by , 7 years ago
comment:2 by , 7 years ago
I can't see any further changes to this ticket. So I would like a new update to it. We need a reply so Lars can complete his work for us.
comment:3 by , 7 years ago
| Description: | modified (diff) |
|---|


I also tested with 5.1.23r116680