| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Aug 2010 17:01:34 -0400 From: Charles Morris <cmorris@...odu.edu> To: paul.szabo@...ney.edu.au Cc: full-disclosure@...ts.grok.org.uk Subject: Re: DLL hijacking with Autorun on a USB drive > >> ... Don't run applications from untrusted locations ... > > You got it wrong. Only trusted applications are run. - The attacker > prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The > victim clicks on the WORD.DOC file, using his own installed MSWord. > Aaah, well if that is the issue, it seems to me that the vulnerability here is that the application in question (MSWord) has it's CWD set to the directory of the file that it is opening through the explorer shell. It should chdir() to it's own parent directory before doing anything interesting that depends on CWD. (i.e. loading DLLs or executing "./amazingApp.sh") It's general good programming practice to be mindful of your CWD, I know that personally; a call to chdir() is almost always at the top of my script. So, I take back what I said about it being a non-issue, it IS in fact a vulnerability in the application. Cheers, Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists