| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 May 2010 08:30:13 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: denial-of-service vulnerability in
theMicrosoft Malicious Software Removal Tool
Since I'm always for a coding challenge, here goes nothing:
http://www.php.net/manual/en/function.disk-total-space.php#95305
It's in PHP though. The gist of it would be disk_total_space and/or
disk_free_space.
Don't "reinvent the wheel" is what I say :)
Cheers.
On Mon, May 24, 2010 at 3:40 AM, Thor (Hammer of God)
<Thor@...merofgod.com>wrote:
> I've been trying to get through to him Larry, but it's been hard ;)
>
> Stu, let's try this first...
>
> In XP, you don't have "built in" elevation features like you do with Vista
> and Windows 7. While you can certainly run as a regular user and use
> "runas" when you must run something the requires administrative privileges,
> it's not exactly the easiest thing for people to do. As such, they just run
> as admin.
>
> This is really, really bad. It's like running as root for everything.
> Whoever set up your client's systems did them a great disservice when they
> configured everyone to run as admin, as you are beginning to see. While not
> all malware requires admin permissions, most do.
>
> The way your client got malware was by downloading something and installing
> it as admin. You should not feel sorry for them. *THEY* did it. *THEY*
> are running as admin and THEY are getting infected. If they choose to say
> with XP and not have AV properly installed, and to not run as a normal
> users, that is THEIR fault. When they get infected, you bill them as you
> should.
>
> Create a normal user for them and see if their software works. That's the
> simplest thing. If it does, then have them run as that user and not admin -
> that's the least you can do and what I could consider "responsible" from a
> professional standpoint. Other aspects of the user experience can be very
> easily controlled via GPO assuming they have a domain structure. Of
> course, the recommendation is to move into Windows 7, which is just freaking
> awesome. These are the things you need to be concentrating on.
>
> But saying they shouldn't be using Windows because they are running
> software released almost 10 years ago with inadequate AV and running under
> admin while downloading things they shouldn't honestly makes you look like a
> tool. To focus your attention on MRT *maybe* causing your system to boot
> improperly is ludicrous. Focus on the malware. Focus on the user.
>
> We're trying to help here, but you are going to have to do your part too.
> T
>
> p.s. Last time you were talking about your unreleased code being 1951
> bytes that gave you a drive tot, free, and % free. I believe you said to me
> "to do better if you can." Feel free to use the below code at your
> discretion. I only spent about 15 minutes on it, so I apologize if it is
> rough. However, it returns all local AND network drives on the system in a
> single command with total, free, and percentage free. It's 886 bytes. I'd
> call half the size with more than twice the capabilities "doing better."
> :-p Oh, don't mistake the "FreeBFD" part for something it's not. That's
> just what I thought of it ;)
>
> using System;
> using System.Management;
> namespace FreeBFD
> {class Program{static void Main(string[] args){
> ManagementClass drivesClass = new ManagementClass("win32_logicaldisk");
> ManagementObjectCollection drives = drivesClass.GetInstances();
> foreach (ManagementObject drive in drives)
> {
> drive.Get();
> int type = Convert.ToInt32(drive["DriveType"]);
> if (type == 3 | type == 4)
> {
> double size = Convert.ToInt64(drive["Size"]);
> double free = Convert .ToInt64(drive["FreeSpace"]);
> Console.WriteLine("Drive " + drive["deviceid"] +"\nTotal:\t"+ size +
> "\nFree:\t " + free + "\n%Free:\t" +
> Convert.ToDouble((free/size)*100)+"\n");
> }}}}}
>
> >-----Original Message-----
> >From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
> >bounces@...ts.grok.org.uk] On Behalf Of Larry Seltzer
> >Sent: Sunday, May 23, 2010 5:57 PM
> >To: stuart@...erdelix.net; full-disclosure@...ts.grok.org.uk
> >Subject: Re: [Full-disclosure] denial-of-service vulnerability in
> theMicrosoft
> >Malicious Software Removal Tool
> >
> >Don't you get it? Your customers installed malware while logged in as
> >administrator on XP. MSRT isn't magic. From this you tell people "Don't
> run
> >Windows"?
> >
> >And if your customers' apps require admin privileges and they have to run
> on
> >XP then they really can't be properly secured.
> >
> >Larry Seltzer
> >Contributing Editor, PC Magazine
> >larry_seltzer@...fdavis.com
> >http://blogs.pcmag.com/securitywatch/
> >
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists