| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6171c6010605210931h16080a44h13a79f361a12e097@mail.gmail.com>
Date: Sun May 21 17:31:17 2006
From: cmorris at cs.odu.edu (Charles Morris)
Subject: Insecure call to
CreateProcess()/CreateProcessAsUser()
I understand that this issue is known, however different applications run
CreateProcess in different ways,
some use the lpApplicationName variable and some use lpCommandLine properly.
My point is however that
the explorer program itself does not do this properly, and that anyone using
explorer or "Internet explorer",
is vulnerable to attack from the web through at least telnet:// links.
(at least proven with Hyperterminal as coincidently
C:\WINNT\SYSTEM32\telnet.exe has no spaces)
Other telnet clients installed to different directories (with spaces) will
also trigger the problem.
It seems to me that I (speaking from a web programmers point of view) should
not be able to ask your computer
to run executables at (what seems to me, at least) arbitrary paths.
This is also a major problem in multiuser environments, as you can trick
some windows services into running your applications.
I have been notifying vendors one by one of their problem, if it is in their
code,
as it seems that nobody wants to really talk about the huge implications of
this;
maybe I am exaggerating the problem. what do you think?
On 5/21/06, Andres Tarasco <atarasco@...il.com> wrote:
>
> That's a well known issue and is documented at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp
>
>
> Andres tarasco
>
> 2006/5/21, Charles Morris <cmorris@...odu.edu>:
> >
> > Microsoft Explorer (iexplore.exe) calls CreateProcess() with
> lpApplicationName = NULL. Instead, the lpCommandLine variable is used.
> Unfortunateally, if the lpCommandLine variable is not quoted properly, the
> function will attempt to load&execute multiple other applications in
> the following fashion:
>
> lpCommandLine = C:\Program Files\Google\Google Talk\googletalk.exe
> Will attempt to execute:
> C:\Program.exe
> C:\Program Files\Google\Google.exe
> C:\Program Files\Google\Google Talk\googletalk.exe
>
> If Microsoft Hyperterminal is set up to be your default telnet client,
> this behavior is known to be triggered from the web with a telnet:// style
> link.
>
>
> Microsoft was notified, they told me it was a "non issue", that they
> coulden't reproduce it, and basically "dont worry about it". or
> something. Unfortunateally although explorer.exe warns a user when the
> file "C:\Program.exe" exists, it does not check any other paths,
> therefore it is not nearly a sufficient workaround.
>
> --
> Charles Morris
> cmorris@...odu.edu
>
> Network Administrator
> CS Systems Group Old Dominion University
> http://15037760514/~cmorris <http://15037760514/%7Ecmorris>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> --
> Loco de aTar
>
--
Charles Morris
cmorris@...odu.edu
Network Administrator
CS Systems Group Old Dominion University
http://15037760514/~cmorris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060521/cd6c71ea/attachment.html
Powered by blists - more mailing lists