| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Jan 17 22:35:09 2006 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: Security Bug in MSVC -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think ms wont fixe any bug in vstudio, I have told them if they will fix the vs2005 issue published recently and they said me exactly what is on your support page: "Only open project files that come from trusted sources." or "Only open WMF files that come from trusted sources." would have been less effort than releasing a patch then lol :D Morning Wood wrote: > ------------------------------------------------------------ - > EXPL-A-2006-002 exploitlabs.com Advisory 048 - > ------------------------------------------------------------ > > - MSVC 6.0 run file bug - > > > > > AFFECTED PRODUCTS ================= Microsoft Visual Studio 6.0 > http://microsoft.com > > Possibly other products referenced in: > http://support.microsoft.com/kb/841189 > > > > OVERVIEW ======== Source code project distributions are very > popular these days. Generally authors offer code as a project with > source, headers, and msvc project files if it is a fairly big > project. Most users will simply open up the project.dsw file, ( > especialy if it says to do so in a readme.txt or other compiler > instructions ) which in turn loads the project.dsp files, which > provides the compiler directives. A malicious attacker could embed > commands to be executed in the project files, and execute any local > code of his choosing. > > note: this is an implemented feature in MSVC, and should be > considered a bug, not a vulnerability. > > > > IMPACT ====== The impact of this is quite severe, as it is possible > to script commands such as to launch ftp, retrieve and execute a > file from a remote location. > > > > > DETAILS ======= By modifying the .dsp files: > > project settings custom build Commands: command to execute > Post-build Step: command to execute > > > 1.a ==== InputPath=.\Release\hello.exe SOURCE="$(InputPath)" > > "hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" calc > > 1.b ==== PostBuild_Cmds=notepad.exe > > > > POC ==== > http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip > > extract, and open hello.dsw click "batch build, build" or "rebuild > all" code will execute ( calc.exe and notepad.exe used as an > example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands > > > > SOLUTION ======== vendor contact: secure@...rosoft.com Sept 20, > 2005 http://support.microsoft.com/kb/841189 updated Jan 6, 2006 > > Microsoft provided these URL's as well: > http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp > http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx > > > > > SUGGESTED PATCH =============== Include a dialog box that warns the > user, before pre and post build directives can be launched, if the > presence of execute directives exist in the build project files. > > > > > CREDITS ======= This vulnerability was discovered and researched by > Donnie Werner of exploitlabs > > > mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ81w6K+LRXunxpxfAQKhqw/+PP3xy1cT5WmiEcFQ2QuU4eoFRbgw9ZnA iFDvGqpZXblQuosDIx3jripRKDeshhJc00GbeMT3I9Fw1XrRbVPFETLV7IpitmPQ jhOKo3pRxDp+mxpFOZpc9mDEhLb873j9un309Ahor29hLgnZ5b5O9J6YuWaFXkZN FS9tBvVbypb5rqIPe5GpZzNO88tfqwC/xk9JG3qgpuAtgLM/hh7Dp8fpptKdylTA LfK5OrH5HZ44uJmXxNbDfr8/XJk2Mv9SLC2UitT6DMk/02XfDAR7r2Dj1MnC6Toc SV3Vv9w9tRHkc1/iKV7/cZyrd8fEi8ZJhgn8DgAeLM3OYTW1I+BpOnAiR58F9+KO Zqj2QrY92sJTpXSIq2jswslMguAjkZF5jtmXYjzYSPx8w5xfNkjbLRHZ5vX6iZJC yJXH7nod6OHyCdyLlQIdOsECEorj/bZ5OAlKlgOZrD79cOLCxkOKgrMaxmHIm/Jf 3t/elL4gVS/fvasSsn2Xdm44lzXCbxo/yDfK2wdIb/1tav5Ls9IHs/nO5t1uC5Pc zx9YfGRjQeU7fTdnR9In7hVMzj36tgmmaiH7d1zPZU/7iFEczVxbtyVznN3uYrgB 1dLgRRA7LXtzzLpLKLIqsaf7cx9OiUpR4ajgWufPW6c8rOYq+uM3OJ1iHRzo1fD+ m929rPMgoP4= =wrHF -----END PGP SIGNATURE-----
Powered by blists - more mailing lists