[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0408162135210.1898@tiwaz.junet.local>
From: ju at heisec.de (Juergen Schmidt)
Subject: Flaws security feature of SP2
On Mon, 16 Aug 2004, Jonathan Rickman wrote:
> > Exploiting this issue requires the ability to overwrite
> > existing files wich have a trusted or non-existant ZoneID.
> Ok. So if I have the ability to do that, isn't it safe to say that I already
> control the box?
Not necessarily. If your file is not executed, because it has
ZoneID=3 -- you might loose.
But there is another point:
Let's assume, that other programms like WinZIP, Mozilla,
Eudora start setting/using ZoneIDs. There will be a lot
of potential for additional, unnecessary problems,
because Explorer in some cases uses the ZoneID of old
files, that do no longer exist.
Let's assume, I download a file with XYZ named hello.exe and I
accept to overwrite the existing hello.exe. hello.exe is overwritten
by XYZ and set to the proper (new) ZoneID=3. Should Explorer give a
warning, when I start it? Of cause it should. Is it a bug, if Explorer
does not warn? Of cause it is. Does it need to be fixed? Of cause it
does.
> > "... we don't see these issues as being in
> > conflict with the design goals of the new protections.
> > ... we do not see these as issues that we would develop patches
> > or workarounds to address."
> I'm inclined to agree with them. I see the potential for problems as you
> have pointed out, but I guess I need a little help in understanding how this
> could ever be more than a theoretical vulnerability. Could you perhaps
> elaborate and maybe toss in a hypothetical situation or two to help me see
> what you're driving at?
I guess I need a little help in understanding, how using wrong security
information could ever be something else than a bug. Could you perhaps
elaborate and maybe toss in an example or two where such a bug in a
security function does not need to be fixed to help me see what you're
driving at?
I admit, that you can argue, that SP2 does not intend to cover all
possible execution paths -- so Microsoft might have a point there.
But what are ZoneIDs on dowloaded files good for, if they cover only a
small subset of execution paths.
So lets create a *hypothetical* situation
Assume:
- we want to install a trojan from a web site.
- there is an IE bug that allows execution of cmd with
arguments (there were a couple of those already)
- there is an IE bug, that allows guessing the location
of temp files (afaik we had those too)
Now you need a way to download your trojan file and have it executed.
You've got it with the cmd issue. With it you can simply include
evil.gif in an image tag and execute
cmd /c <temp_path>\evil.gif
Here we go: Download.Ject2 despite of ZoneID=3 on evil.gif
On the other hand, you can argue again, lets close the first two holes and
we are safe. As i said: with cmd, you can argue...
bye, ju
--
Juergen Schmidt Chefredakteur heise Security www.heisec.de
Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@...sec.de
Powered by blists - more mailing lists