lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030721040835.76940.qmail@web15310.mail.bjs.yahoo.com>
From: liudieyuinchina at yahoo.com.cn (Liu Die Yu)
Subject: "windows update activex"

>if there is some XSS hole in
> Windows Update site or if there is a bug in IE that
> allows to trick the URL, 

then the attacker can use Windows Update ActiveX to:
reboot your machine;
get detailed information on computer - computer name,
hardware, isAdmin, etc.

BUT it's hard for the attacker to execute his EXE.
i've traced into the module("IUENGINE.TEXT").

they first create the
directory(API:"CreateDirectoryW")
then they download the EXE file to the newly created
directory. soon after that, they verify its digest
(API:"LSTRCMPIW"). at last they verify it with
"WinTrust.TEXT" - which i am unable to bypass. if any
of the check fails, they delete the
file(API:"DeleteFileW"). 

assuming we already got WINDOWSUPDATE.MICROSOFT.COM(
then we easily got MYCOMPUTER):

the only chance is:
"DeleteFileW" fails.

but chances are very very slim.

so generally speaking(generally speaking, we can't
break WinTrust), the maximum risk is "RebootMachine" -
nothing more.

just as a reminder



best wishes 

die

-----------------------
umbrella.mx.tc - http://umbrella.mx.tc
safecenter - http://www.safecenter.net
make notes easily - http://domex.int.tc

_________________________________________________________
Do You Yahoo!? 
国内电邮用户反垃圾调查拉开帷幕
http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.tech.yahoo.com/zhuanti/laji/index.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ