lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 5 Sep 2011 12:33:25 +0200
From: Mario Vilas <mvilas@...il.com>
To: paul.szabo@...ney.edu.au
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
 DLL Hijacking

Paul,

Those file extensions correspond to scripts. If a file contains a script
that runs when the file is double clicked, and the scripting engine is not
sandboxed (meaning the script can do the same things an executable file can
do) then the attack is meaningless. You can simply have the script inside
the file do malicious things instead of planting a DLL.

Binary planting, regardless of the discussion about it being a
"vulnerability" or not, in any case only makes sense when the file only
contains static data, or when the file contains executable code that would
normally not have the same privileges as a standard executable file. (A
script that doesn't get executed when double clicking on it -for example if
a text editor is opened instead- would be the same case as in a data file).

I've never used .js or .jse scripts on Windows, but all the other extensions
are patently not sandboxed scripts. In fact, the Windows Script Host
software is mostly used to write system maintenance scripts, so it's obvious
its scripts can't be restricted or they'd be useless. I'm guessing the same
applies to .js and .jse then, and of course I wouldn't mind seeing proof
that it doesn't. However the links you provided don't really prove anything
(the first one even says "this is not a complete list", and I admit I've
only glanced the second one but it seems unrelated, as it applies to file
transfers on Microsoft Sharepoint).

Planting a DLL file to be executed at the same time as other executable file
is just a convoluted way of doing the same thing. It *may* be used in some
strange, artificial situations, but I'm not convinced there aren't better
ways to do it, and in any case it doesn't justify an advisory. And judging
from what the timeline reads, I believe Microsoft simply ignored this one.

I hope my explanation helped :)
-Mario

On Mon, Sep 5, 2011 at 12:54 AM, <paul.szabo@...ney.edu.au> wrote:

> > Application: wscript.exe
> > Extensions: js, jse, vbe, vbs, wsf, wsh
> > Library: wshesn.dll
>
> Many people commented that the above extensions are "executable"
> already, so are (should be) treated with caution, or that they
> can be trojaned directly without any DLL load shenanigans.
>
> However... looking at
> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
>
> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
> I do not see JS listed as executable, though JSE is listed.
>
> Looking at
> http://msdn.microsoft.com/en-us/library/ms722429.aspx
> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
> machine, none of the above extensions are "designated".
>
> Maybe DLL hijacking is useful for some of these file types, after all?
>
> Cheers, Paul
>
> Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney    Australia
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ