lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 8 Nov 2006 10:38:12 -0600 (CST)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk
Cc: code-crunchers@...testar.linuxbox.org
Subject: Re: [Code-Crunchers] windows vulnerability? [was:
 Re: 137 bytes]

On Wed, 8 Nov 2006, Gadi Evron wrote:
> On Wed, 8 Nov 2006, Thomas Pollet wrote:
> > Windows handles UNC paths the same way as local  paths. Another mechanism
> > used to load a remote dll using a UNC path is described in
> > http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
> > here the "system" directory is overwritten with a (unc) directory owned by
> > by the attacker. When GetSystemDirectoryW() is called to load the
> > faultrep.dll on exception, an attacker can supply his backdoored
> > faultrep.dll. I don't think you should classify this as a vulnerability,
> > it's known windows behaviour (yet, windows, a vulnerability all by itself?).
> 
> Two issues:
> 1. The loading of the library...
> I've just had a very long discussion with someone who understands this far
> better than me. I am wrong (on that part), it's not a "vulnerability" but
> it's damn close, and can be used to fascilitate quite a bit. I see it as
> an issue, most people don't.
> 
> It is a bummer for desktop firewalls though, no? :)
> 
> http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
> 
> ^^ indeed
> 
> 2. Issue that got to mind, making a leap from the first one...
> 
> The point I was trying to make is very different, and speaks of what can
> potentially be done with this if this was code execution. Using the PE as
> a vector to attack the PE loader with (potential!) code execution for
> privilage esclation. Using the PE itself as a vector of attack.
> 
> Much like you would use a doc file to exploit something in Word.. only
> not. :)

Okay, strike that. According to a friend who checked, it runs in usermode,
except for some core issues. Then it's kernel, and you need to be admin to
do it. Which is also pointless and it's hacking to be in ring0 when you
already are there.

Another friends says it will look pretty. :)

	Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ