lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 31 Aug 2010 23:38:38 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Charles Morris <cmorris@...odu.edu>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au>
Subject: Re: DLL hijacking with Autorun on a USB drive

Adding to Charles' this dll hijacking is even less than a non-issue
considering that the user has opened the "bad" file in the first
place.

I don't see it a matter of changing the cwd, but rather the user
shouldn't be running stuff which he doesn't know about.
It's the same analogy Charles mentioned all over again.

Dan: "The security model people keep presuming exists, doesn't."

Dan, there was no security model, and no one assumed there was.
Running dubious files, from anywhere, is always a security risk.

This is more of an anti-virus fix than changing CWD: the
anti-virus/ips/whatever knows that the dll-to-be-loaded is from an
external source, and it should wail out a warning.

I fully acknowledge a message telling me I'm about to run an
executable I've just downloaded, but simply refusing to run it
properly isn't something I, (or normal users, for the matter) would
want.




Finally, this "Application X is vulnerable to dll hijcak" needs to
stop, right now. This whole darn thing is stupid...most if not all
applications set the CWD to the target path for several reasons.
Microsoft Office suite, for instance, keep backup (archives, caches
and whatnot) files in the same folder the main file resides. Switching
between directories is surely not an option.



On Tue, Aug 31, 2010 at 11:20 PM, Charles Morris <cmorris@...odu.edu> wrote:
> On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan@...para.com> wrote:
>
>>
>> Again, the clicker can't differentiate word (the document) from word (the
>> executable).  The clicker also can't differentiate word (the document) from
>> word (the code equivalent script).
>>
>> The security model people keep presuming exists, doesn't.
>>
>> Even the situation whereby a dll is dropped into a directory of documents --
>> the closest to a real exploit path there is -- all those docs can be
>> repacked into executables.
>>
>
> What?
>
> I can differentiate my coolProposal.doc from msword.exe just fine..
>
> If your statement is that the windows defaults should be changed,
> including the "hide extensions" default, then I wholeheartedly agree
> as I detailed in my first post. It's the first thing I turn off.
>
> Many people who think the same way have considered that a
> vulnerability in windows for years, I wouldn't consider it part of
> the "DLL Hijacking" fiasco.
>
> Cheers,
> Charles
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ