lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jan 17 22:24:50 2006
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: Security Bug in MSVC

------------------------------------------------------------
     - EXPL-A-2006-002 exploitlabs.com Advisory 048 -
------------------------------------------------------------

              - MSVC 6.0 run file bug -




AFFECTED PRODUCTS
=================
Microsoft Visual Studio 6.0
http://microsoft.com

Possibly other products referenced in:
http://support.microsoft.com/kb/841189



OVERVIEW
========
Source code project distributions are very popular these days.
Generally authors offer code as a project with source, headers,
and msvc project files if it is a fairly big project. Most users
will simply open up the project.dsw file, ( especialy if it says
to do so in a readme.txt or other compiler instructions ) which
in turn loads the project.dsp files, which provides the compiler
directives.
A malicious attacker could embed commands to be executed in the
project files, and execute any local code of his choosing.

note: this is an implemented feature in MSVC, and should be
considered a bug, not a vulnerability.



IMPACT
======
The impact of this is quite severe, as it is possible to script
commands such as to launch ftp, retrieve and execute a file from
a remote location.




DETAILS
=======
By modifying the .dsp files:

project
settings
custom build
Commands: command to execute
Post-build Step: command to execute


1.a
====
InputPath=.\Release\hello.exe
SOURCE="$(InputPath)"

"hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
 calc

1.b
====
PostBuild_Cmds=notepad.exe



POC
====
http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip

extract, and open hello.dsw
click "batch build, build" or "rebuild all"
code will execute ( calc.exe and notepad.exe used as an example )
calc.exe = Custom-Build
notepad.exe = PostBuild Commands



SOLUTION
========
vendor contact:
secure@...rosoft.com Sept 20, 2005
http://support.microsoft.com/kb/841189 updated Jan 6, 2006

Microsoft provided these URL's as well:
http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp
http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx




SUGGESTED PATCH
===============
Include a dialog box that warns the user, before pre and post
build directives can be launched, if the presence of execute
directives exist in the build project files.




CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://exploitlabs.com/files/advisories/EXPL-A-2006-002-msvc-featurebug.txt
http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ