lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: ju at (Juergen Schmidt)
Subject: Flaws security feature of SP2

On Mon, 16 Aug 2004, Jonathan Rickman wrote:

> > Exploiting this issue requires the ability to overwrite
> > existing files wich have a trusted or non-existant ZoneID.

> Ok. So if I have the ability to do that, isn't it safe to say that I already
> control the box?

Not necessarily. If your file is not executed, because it has
ZoneID=3 -- you might loose.

But there is another point:

Let's assume, that other programms like WinZIP, Mozilla,
Eudora start setting/using ZoneIDs. There will be a lot
of potential for additional, unnecessary problems,
because Explorer in some cases uses the ZoneID of old
files, that do no longer exist.

Let's assume, I download a file with XYZ named hello.exe and I
accept to overwrite the existing hello.exe. hello.exe is overwritten
by XYZ and set to the proper (new) ZoneID=3. Should Explorer give a
warning, when I start it? Of cause it should. Is it a bug, if Explorer
does not warn? Of cause it is. Does it need to be fixed? Of cause it

> > "... we don't see these issues as being in
> > conflict with the design goals of the new protections.
> > ... we do not see these as issues that we would develop patches
> > or workarounds to address."

> I'm inclined to agree with them. I see the potential for problems as you
> have pointed out, but I guess I need a little help in understanding how this
> could ever be more than a theoretical vulnerability. Could you perhaps
> elaborate and maybe toss in a hypothetical situation or two to help me see
> what you're driving at?

I guess I need a little help in understanding, how using wrong security
information could ever be something else than a bug. Could you perhaps
elaborate and maybe toss in an example or two where such a bug in a
security function does not need to be fixed to help me see what you're
driving at?

I admit, that you can argue, that SP2 does not intend to cover all
possible execution paths -- so Microsoft might have a point there.
But what are ZoneIDs on dowloaded files good for, if they cover only a
small subset of execution paths.

So lets create a *hypothetical* situation


- we want to install a trojan from a web site.
- there is an IE bug that allows execution of cmd with
  arguments (there were a couple of those already)
- there is an IE bug, that allows guessing the location
  of temp files (afaik we had those too)

Now you need a way to download your trojan file and have it executed.
You've got it with the cmd issue. With it you can simply include
evil.gif in an image tag and execute

cmd /c <temp_path>\evil.gif

Here we go: Download.Ject2 despite of ZoneID=3 on evil.gif

On the other hand, you can argue again, lets close the first two holes and
we are safe.  As i said: with cmd, you can argue...

bye, ju

Juergen Schmidt    Chefredakteur  heise Security
Heise Zeitschriften Verlag,  Helstorferstr. 7,  D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417    EMail

Powered by blists - more mailing lists