lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6171c6010605210802y1ea97ce0m5c306b0a82d40c3e@mail.gmail.com>
Date: Sun May 21 16:02:19 2006
From: cmorris at cs.odu.edu (Charles Morris)
Subject: Insecure call to
	CreateProcess()/CreateProcessAsUser()

Microsoft Explorer (iexplore.exe) calls CreateProcess() with
lpApplicationName = NULL. Instead, the lpCommandLine variable is used.
Unfortunateally, if the lpCommandLine variable is not quoted properly, the
function will attempt to load&execute multiple other applications in
the following fashion:

lpCommandLine = C:\Program Files\Google\Google Talk\googletalk.exe
Will attempt to execute:
C:\Program.exe
C:\Program Files\Google\Google.exe
C:\Program Files\Google\Google Talk\googletalk.exe

If Microsoft Hyperterminal is set up to be your default telnet client,
this behavior is known to be triggered from the web with a telnet:// style link.


Microsoft was notified, they told me it was a "non issue", that they
coulden't reproduce it, and basically "dont worry about it". or
something. Unfortunateally although explorer.exe warns a user when the
file "C:\Program.exe" exists, it does not check any other paths,
therefore it is not nearly a sufficient workaround.

-- 
Charles Morris
        cmorris@...odu.edu

Network Administrator
CS Systems Group                Old Dominion University
http://15037760514/~cmorris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ