lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 4 Nov 2006 14:03:32 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Internet Explorer 7 - Still Spyware Writers'
	Heaven

Dear list,

>therefore Windows will search for this file in the user's
>machine using the directories provided in the PATH environment
That is a bit simplistic, it will search a lot more then the PATH
prior to that. (See list at the bottom)

>desktop), and the next time the user will run IE7 the code of the
>attacker's file will be executed instead of the original DLL file.

According to the list this should not be the case as the PATH
statemetn is checked ONLY if every other paths have been already
searched for that DLL, (I have seen this
too), so either the list offered on the MS site is wrong or ?

Hint: USE  "Safe DLL Search Order" as offered by Microsoft.

Vulnerability of not using "Safe DLL search" as defined by Micrsoft on
this page : http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch10n.mspx

"If a user unknowingly executes hostile code that was packaged with additional files that
include modified versions of system DLLs, the hostile code could load its own versions
of those DLLs and potentially increase the type and degree of damage
the code can render."

----------------------------------------------------------------------------------------

Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended)

This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE.
The dynamic-link library (DLL) search order can be configured to search for requested DLLs in one of two ways:

If SafeDllSearchMode is configured to 1, the search order is as follows:
•  The directory from which the application loaded.
•  The system directory.
•  The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
•  The Windows directory.
•  The current directory.
•  The directories that are listed in the PATH environment variable.


If SafeDllSearchMode is configured to 0, the search order is as follows:
•  The directory from which the application loaded.
•  The current directory.
•  The system directory.
•  The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
•  The Windows directory.
•  The directories that are listed in the PATH environment variable.



This is the reason WHY I added the feature call "Enable Safe DLL
Search Order" to Secure-it (http://www.sniff-em.com/secureit.shtml)


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ