lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4370C09749CE417A9BEF8A36F5EAB752@localhost>
Date: Sun, 19 May 2013 17:40:57 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Defense in depth -- the Microsoft way

Hi @ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"

Note the unqualified path to the executable "msiexec.exe".

On Windows installations without the "SafeProcessSearchMode" hotfix
(cf. <http://support.microsoft.com/kb/905890>) or with this safeguard
turned off (cf. <http://msdn.microsoft.com/library/dd266735.aspx>,
which refers to <http://support.microsoft.com/kb/959426> alias MS09-015),
an executable "msiexec.exe" placed in the CWD or the users "base"
directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to
"%USERPROFILE%") can be run instead of the intended executable
"%SystemRoot%\System32\MsiExec.Exe".


The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.

JFTR: cf. <http://seclists.org/fulldisclosure/2011/Sep/160>

Stefan Kanthak

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ