| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue May 10 14:52:26 2005 From: optimist at eurocompton.net (pretty vacant) Subject: Useless tidbit You may or may not know that Windows applications often use the registry to store information about where to find applications within their file system. Due to the way in which Windows handles filenames, situations where this information is stored in an unquoted fashion, can leave the application open to an attack commonly referred to as the "Program.exe trick". As you know, it's quite common to have files and/or directories with spaces in the name (e.g. C:\Program Files). Windows is unique in that it essentially doesn't exactly know what it's doing if the command isn't quoted and contains spaces. For example look at the following command: c:\program files\windows media player\wmplayer If unquoted, Windows tries the following: 1st try Execute: c:\program.exe Arg1: files\windows Arg2: media Arg3: player\wmplayer 2nd try Execute: "c:\program files\windows.exe" Arg1: media Arg2: player\wmplayer 3rd try Execute: "c:\program files\windows media" Arg1: player\wmplayer 4th try Execute: "c:\program files\windows media player\mwplayer.exe" Well in the case of MS AntiSpyware (and hundreds of other applications), AntiSpyware, it starts up by executing "AntiSpywareMain.exe" which in turn displays a nice splash screen, performs some other misc activities before calling the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe is unquoted, while the app tries to execute c:\program files\microsoft antispyware\gsasDtServ.exe, if c:\program.exe exists, it will be executed instead and MS Antispyware never actually gets loaded. With XPSP2, the OS will actually warn you about files like c:\Program.bat, or c:\Program.exe, but not of c:\program files\internet.exe. Sadly, this isn't uncommon and when I tested this on my system the first time, 7 applications were executed over a 48 hour period. Try it for yourself. My Program.exe logs the executing user and command args to c:\program.log. On Tue, 10 May 2005, James Tucker wrote: > It appears this was a "trick" that I missed, can you provide more info? > > thanks. > > On 5/9/05, pretty vacant <optimist@...ocompton.net> wrote: > > Interesting tidbit. The old c:\program.exe trick prevents MS Anti-Spyware from loading at login. :) > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > >
Powered by blists - more mailing lists