[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0611080902110.22551-100000@linuxbox.org>
Date: Wed, 8 Nov 2006 09:13:32 -0600 (CST)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk
Cc: code-crunchers@...testar.linuxbox.org
Subject: Re: windows vulnerability? [was: Re:
[Code-Crunchers] 137 bytes]
On Wed, 8 Nov 2006, Thomas Pollet wrote:
> Windows handles UNC paths the same way as local paths. Another mechanism
> used to load a remote dll using a UNC path is described in
> http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
> here the "system" directory is overwritten with a (unc) directory owned by
> by the attacker. When GetSystemDirectoryW() is called to load the
> faultrep.dll on exception, an attacker can supply his backdoored
> faultrep.dll. I don't think you should classify this as a vulnerability,
> it's known windows behaviour (yet, windows, a vulnerability all by itself?).
Two issues:
1. The loading of the library...
I've just had a very long discussion with someone who understands this far
better than me. I am wrong (on that part), it's not a "vulnerability" but
it's damn close, and can be used to fascilitate quite a bit. I see it as
an issue, most people don't.
It is a bummer for desktop firewalls though, no? :)
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
^^ indeed
2. Issue that got to mind, making a leap from the first one...
The point I was trying to make is very different, and speaks of what can
potentially be done with this if this was code execution. Using the PE as
a vector to attack the PE loader with (potential!) code execution for
privilage esclation. Using the PE itself as a vector of attack.
Much like you would use a doc file to exploit something in Word.. only
not. :)
Thanks though - good stuff!
Gadi.
>
> Regards,
> Thomas
>
> The mother of all downloaders.
> >
> > "The Zone has a new King!" <we're not worthy x3>
> > -- Jeff, Coupling (BBC, UK).
> >
> > Gadi.
> >
> > > -- G
> > >
> > > 2006/11/8, Solar Eclipse <solareclipse@...eedom.org>:
> > > >
> > > > On Tue, Nov 07, 2006 at 10:56:42AM -0800, Peter Ferrie wrote:
> > > > > Why is the idata size present? AFAIK, no Windows version checks it.
> > > > > Four bytes shorter, then (stop at the idata rva non-zero byte)?
> > > >
> > > > You're right, you can remove the last field and bring the file size
> > down
> > > > to 133 bytes. That's what I get for claiming that the size can't be
> > > > improved :-)
> > > >
> > > > Solar
> > > > _______________________________________________
> > > > Code-Crunchers mailing list
> > > > Code-Crunchers@...testar.linuxbox.org
> > > > http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists