lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040825135026.33794.qmail@web51509.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: [Full Disclosure] More fun w/ XP SP 2

Hey, folks,

More on (no pun intended...well, maybe...) the
":Zone.Identifier" issue in XP SP 2.  I originally saw
this here:
http://www.heise.de/security/artikel/print/50051

Other Google hits refer back to this article. 
Interestingly enough, Microsoft doesn't mention
alternate data streams (ADSs) when searching their
site for references to ZoneIDs.  For information on
ADSs, see:
http://patriot.net/~carvdawg/perl.html

So, one has to ask, is this really a "security"
feature?  If it is, I can see why it has been stated
that this functionality has flaws...but I don't really
see it as a security feature at all.  

However, it does pose an interesting opportunity to
have fun with someone.  Remember the release of BO,
and how annoying it was to have your cup holder
constantly open and close on your system?  Well,
bringing that annoyance into the modern age, a couple
of lines at the command prompt, and write access to a
file, are all it takes to create the zoneID ADS on
arbitrary files:

C:\>echo [ZoneTransfer] > somefile:Zone.Identifier
C:\>echo zoneID=3 >> somefile:Zone.Identifier

This can easily be replicated in code (VBS, Perl,
etc).  So what happens when "somefile" is winword.exe,
sol.exe, or even iexplore.exe?  

So what's the point?  This new feature in XP SP 2
provides plenty of opportunity for mischief.  Yes,
yes, I know...if someone has write access to your
drive, you've got other things to worry about. 
However, the use of batch files like the one attached
at the end of this post in a corporate environment
could easily lead to a DoS attack on the helpdesk.

Anyway...

Harlan

PS:  shoutz out to P-Tricky @ ISS!!!  ;-)

---------------------------------------------------
# Batch file
@echo off
echo [ZoneTransfer] > %1:Zone.Identifer
echo zoneID >> %1:Zone.Identifer
---------------------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ