| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Feb 2004 21:36:55 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution)
<!--
> Being able to store arbitrary content in a predictable file
>location is a vulnerability category of its own
An interesting category, for sure. I think this point deserves
discussion. Is the use of predictable file locations really a
vulnerability?
-->
If it isn't it should be. I'll give you four that have been put
on the back-burner for later realization (make a note that this
will be fair warning to the vendor):
1. wecerr.txt still remains a named file in a known location
with arbitrary content, that the vendor simply refuses (more
than likely cannot be bothered)to fix. This is going to hit
them square in the nuts if not now, then in the very near
future. And I'll make sure it is zero-day'd. This combo is now
both 1 and bordering on 2 years old:
<body onload=malware() style="behavior: url
(#default#httpFolder);">
<script>
function malware(){
document.body.navigate("http://www.microsoft.com");alert
("malware");location=("shell:profile\Local
Settings\Temp\wecerr.txt")
}
</script>
2. Outlook Express deposits an embedded sound file in an html
email in the temp upon opening. We are able to access the temp
via link: shell:profile\Local Settings\Temp\foo.mid. That
embedded sound file need not be proper. That is it can be an
html file renamed .mid or .wav and it will still be delivered to
the temp. At the moment it is not named but history shows us,
with a bit of effort and luck, even that can be remedied.
3. Outlook proper and Outlook Express. When you send a webpage
via email, it creates an exact copy of that page in the temp,
file extensioned .html along with the name. Again you can access
it directly via the above but to invoke or cause it
automatically remains under examination.
4. The Outlook Express 'bug' again over 12 months old ~ file
being the Windows Address Book remains in place and is still
created every time you touch the address book with a few
predictable locations: ~ file on desktop or in C: etc. For
identity theft which appears to be the latest concern, this is
it. Accessing it via remote is quite easy for the reasons
already described.
The vendor in all cases, just cannot be bothered to fix any of
these things. Simply does not care. It seems that the new mantra
is "none of our customer's are affected by it" so let's not fix
it.
WATCH OUT !
All these will culminate in yet another STENCH ! exploit sooner
or later.
That is a true predicatable path.
End Call
--
http://www.malware.com
Powered by blists - more mailing lists