lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Mar 2016 13:18:13 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: "Securify B.V." <lists@...urify.nl> Cc: <bugtraq@...urityfocus.com> Subject: Re: Windows Mail Find People DLL side loading vulnerability "Securify B.V." wrote: > ------------------------------------------------------------------------ > Windows Mail Find People DLL side loading vulnerability > ------------------------------------------------------------------------ > Yorick Koster, September 2015 [...] > - CVE-2016-0100 > - MS16-025: Security Update for Windows Library Loading to Address > Remote Code Execution (3140709) > > ------------------------------------------------------------------------ > Tested versions > ------------------------------------------------------------------------ > This issue was successfully verified on Windows Vista + Office 2010 > 32-bit. This vulnerability demonstrates Microsoft's terrible SLOPPY coding horror^Wpractice: it needs two mistakes to create this kind of bug! "%CommonProgramFiles%\System\wab32res.dll" is (as its name implies) a resource DLL, which means that it contains no code, but only (localized) resources, and SHOULD (better: MUST) be loaded via LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE) to avoid the call of its DllMain() startup code! See <https://msdn.microsoft.com/en-us/library/ms684179.aspx> JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium! Either LoadLibrary("%CommonProgramFiles%\System\wab32res.dll") or LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE) were sufficient to avoid this vulnerability. > ------------------------------------------------------------------------ > Fix > ------------------------------------------------------------------------ > Microsoft released MS16-025 that fixes this vulnerability. Have you checked how Microsoft fixed it? Did they exercise all due diligence now, practised defense in depth and replaced the call to LoadLibrary("wab32res.dll") with a call to LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)? > ------------------------------------------------------------------------ > Details > ------------------------------------------------------------------------ > https://www.securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html stay tuned Stefan
Powered by blists - more mailing lists