lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3E11D5B2B951455081EE006D2E2E61F7@celsius>
Date: Sat, 19 Oct 2013 18:35:05 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Defense in depth -- the Microsoft way (part 12): NOOP security fixes

Hi @ll,

with <http://technet.microsoft.com/security/bulletin/ms12-034>
Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see
<https://support.microsoft.com/kb/2686509> for details.

BUT: the hotfix KB2686509 does NOT fix anything!

Instead it just checks ONCE(!) whether all the "keyboard layout DLLs"
registered beneath

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="KBD*.DLL"

are either registered with their fully-qualified pathname or exist in
%SystemRoot%\System32.

This STATIC, ONE TIME check but does NOT cure the problem, it only checks
for the symptom!

If Microsoft would REALLY care about security, the hoxfix KB2686509 (or
better: Windows setup) would (re)write all references to filenames with
their fully-qualified pathname, i.e. as

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="%SystemRoot%\\System32\\KBD*.DLL"


Timeline:
~~~~~~~~~

2004-08-23    informed vendor about still unfixed principal security
              flaws due to unqualified filenames and Windows' EXE/DLL
              search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
      2001, and XP SP2 was supposed to eliminate many of the errors
      Microsoft made in previous versions of NT.

2004-08-25    vendor replies "no vulnerabilities", but forwards report
              to product groups/teams

2004-09-02    vendor still wont see vulnerabilities, asks for POC(s)

...

2008-05-30    vendors publishes
              <http://technet.microsoft.com/security/advisory/953818>

2009-04-15    vendor publishes <http://support.microsoft.com/kb/959426>
              alias
              <http://technet.microsoft.com/security/bulletin/ms09-015>
              plus
              <http://technet.microsoft.com/security/bulletin/ms09-014>

2010-08-23    vendor publishes
              <http://technet.microsoft.com/security/advisory/2269637>
              and updates it over and over again since then

2012-05-08    vendor publishes <http://support.microsoft.com/kb/2686509>
              alias
              <http://technet.microsoft.com/security/bulletin/ms12-034>


stay tuned
Stefan Kanthak


PS: if Microsoft weren't such sloppy coders and had a QA department this
    whole class of vulnerabilities would not exist: the path to EVERY
    executable in Windows is well-known, all references can use the
    fully-qualified, absolute pathname.

    <http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
    2500+ unqualified (plus not properly quoted long) filenames left in
    the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
    (plus not properly quoted long) filenames in the \i386\HIVE*.INF and
    \i386\DMREG.INF (from which the initial registry is built) on the
    installation media.

    <http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
    4500+ unqualified filenames in the registry of Windows 7 Professional
    with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
    documents some other issues.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ