lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <3D58402F-0417-40A4-9E10-1D9ABCA04B41@doxpara.com>
Date: Tue, 31 Aug 2010 14:15:19 -0700
From: Dan Kaminsky <dan@...para.com>
To: Charles Morris <cmorris@...odu.edu>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au>
Subject: Re: DLL hijacking with Autorun on a USB drive





On Aug 31, 2010, at 2:01 PM, Charles Morris <cmorris@...odu.edu> wrote:

>>
>>> ... Don't run applications from untrusted locations ...
>>
>> You got it wrong. Only trusted applications are run. - The attacker
>> prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The
>> victim clicks on the WORD.DOC file, using his own installed MSWord.
>>
>
> Aaah, well if that is the issue, it seems to me that the  
> vulnerability here is
> that the application in question (MSWord) has it's CWD set to the  
> directory of
> the file that it is opening through the explorer shell.
>
> It should chdir() to it's own parent directory before doing anything  
> interesting
> that depends on CWD. (i.e. loading DLLs or executing "./ 
> amazingApp.sh")
>
> It's general good programming practice to be mindful of your CWD, I  
> know
> that personally; a call to chdir() is almost always at the top of my  
> script.
>
> So, I take back what I said about it being a non-issue, it IS in fact
> a vulnerability in the application.
>

Again, the clicker can't differentiate word (the document) from word  
(the executable).  The clicker also can't differentiate word (the  
document) from word (the code equivalent script).

The security model people keep presuming exists, doesn't.

Even the situation whereby a dll is dropped into a directory of  
documents -- the closest to a real exploit path there is -- all those  
docs can be repacked into executables.

> Cheers,
> Charles
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ