lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 11 Sep 2010 00:59:33 +0530
From: Shreyas Zare <shreyas@...fence.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Nikhil Mittal <nikhil_uitrgpv@...oo.co.in>
Subject: Re: Nmap NOT VULNERABLE to Windows DLL Hijacking
	Vulnerability

Well, there is one vector many people I think are missing in all these DLL
hijacking discussions. Using a LNK or shortcut makes it more interesting.
With LNK, attacker can specify a legitimate file the user is expecting,
while setting current directory to a path which he controls. Also, other
than showing a small arrow in the icon, user dont see any extension and LNK
file size is just few bytes!

Shreyas Zare

Sr. Information Security Researcher
Secfence Technologies
www.secfence.com


On Fri, Sep 10, 2010 at 11:38 PM, Dan Kaminsky <dan@...para.com> wrote:

> On Fri, Sep 10, 2010 at 11:46 AM, Nikhil Mittal
> <nikhil_uitrgpv@...oo.co.in> wrote:
> >
> > >>Here's my definition
> >
> > >>Exploitable vulnerability = vulnerabilityn't t
> > >>Non-exploitable "vulnerability" = mental masturbation
> >
> > Nice definition. I would like to add one more line for my definition
> >
> > Inability to recognize a straight forward vulnerability = mentally
> handicap
>
> OK, lets go over this again.
>
> Nikhil, Simple DLL Hijacking is quite possibly the least
> straightforward potentially exploitable condition *of all time*.  We
> may look back on this characteristic as the thing that finally proved
> the legitimacy of Cross Site Scripting attacks -- compared to Simple
> DLL Hijacking, XSS is practically a stack smash.  Simple DLL
> Hijacking's problem is as follows:
>
> a) The presumed preconditions for an attack are extensive and expensive
> b) An attacker who met those preconditions, would not be stopped by
> the proposed defenses
>
> Regarding a, we're seeing lots of PDF 0-day floating around.  Why?
> Because it's pretty cheap to get somebody to parse a PDF:  <iframe
> src='foo.pdf'> and you're done.  Getting someone to go through all the
> steps with SDH?  Too complicated.
>
> That being said, there are scenarios.  Matt @ AttackVector probably
> found the best one right now -- a worm drops DLLs into a shared
> document folder, and anyone who opens the docs gets hit.  And of
> course, multiple people have figured out that SDH causes problems for
> Autorun defenses, because a document read (not copied) directly off a
> thumbdrive will presently launch code.
>
> Even if you grant these are legitimate vectors, these are vectors
> bouncing off Office's presumed type safety -- not WinImageView
> 3.4.8's.  And they're not even close to straightforward.
>
> The core problem though is that Explorer itself doesn't strongly
> enforce type safety.  I can't emphasize enough, you just don't have
> enough context when you double click an item in a browser, that it's
> not actually an .exe.  People keep pretending you do have this
> context, and it's simply untrue.  Look at it this way:  If it was as
> easy to execute arbitrary code from a web page, as it was from a
> Explorer Shell Window to \\attacker.com\foo, we'd be up in arms.
>
> So essentially, what you find is that the very concept of browsing
> remote shares and USB sticks you don't trust, is unsafe.  This creates
> the astonishing situation where Sharepoint becomes a security
> technology!
>
> You might notice that I keep referring to all this as Simple DLL
> Hijacking.  It's likely that DLL Hijacking will actually be a critical
> component of a genuine attack vector.  It's just not, yet.  The
> journey of a thousand miles has been declared complete with a single
> step.  So we're on the cusp of some huge portion of advisories coming
> from the security community being little more than "random Windows app
> runs DLLs from CWD".
>
> Frankly, I think we can find better bugs.  I think we'd better.  Just
> like bad money drives out good money, bad bugs drive out good bugs.
> The credibility of advisories, and even the usefulness of FD, is
> somewhat at risk.
>
> --Dan
>
> P.S.  Maybe there should be a new list -- full-disclosure-sdh -- for
> this discussion?  I can't be the only one wondering how enormous this
> thread has to get.  Yeah, yeah, I know.  I'm dreaming.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ