[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTin=LewE6pJe6gcfcgoA+-2WQHLTui3M_Au5WDfU@mail.gmail.com>
Date: Wed, 1 Sep 2010 08:29:44 -0400
From: Charles Morris <cmorris@...odu.edu>
To: Dan Kaminsky <dan@...para.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au>
Subject: Re: DLL hijacking with Autorun on a USB drive
On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky <dan@...para.com> wrote:
>
>
>
>
> On Aug 31, 2010, at 2:20 PM, Charles Morris <cmorris@...odu.edu> wrote:
>
>> On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan@...para.com> wrote:
>>
>>>
>>> Again, the clicker can't differentiate word (the document) from word (the
>>> executable). The clicker also can't differentiate word (the document)
>>> from
>>> word (the code equivalent script).
>>>
>>> The security model people keep presuming exists, doesn't.
>>>
>>> Even the situation whereby a dll is dropped into a directory of documents
>>> --
>>> the closest to a real exploit path there is -- all those docs can be
>>> repacked into executables.
>>>
>>
>> What?
>>
>> I can differentiate my coolProposal.doc from msword.exe just fine..
>>
>
> Uh huh. Here, let me go ahead and create 2010 Quarterly Numbers.ppt.exe with
> a changed icon, and see what you notice.
>
Mr. Szabo has already slapped your wrist for such undeserved arrogance.
And yeah, I find it a joke that you think that ".ppt.exe" isn't pretty
damn obvious.
I might have fell for that when I was 9, but I haven't had a problem
with a windows box in years.
I will admit, at 3AM when I've been working for 18 hours and awake for
36, it is possible that I may double-click
such a malicious file and then immediately think "OH shit" and rebuild.
I know what we can do, we can repackage the "Hey watch out for badguys
masquerading as innocent files"
that everybody already knows about, contact CERT and negotiate a fix
between major vendors (Hey this isn't just a MS vulnerability
right??), then give a talk at blackhat to establish our fame, but now
that I think about it.. that would be rude to the people who have been
complaining about this since 1999.
>
>> If your statement is that the windows defaults should be changed,
>> including the "hide extensions" default, then I wholeheartedly agree
>> as I detailed in my first post. It's the first thing I turn off.
>>
>> Many people who think the same way have considered that a
>> vulnerability in windows for years, I wouldn't consider it part of
>> the "DLL Hijacking" fiasco.
>
> Imagine if the browser lock meant arbitrary code could run.
>
> I find your faith in small collections of pixels hilarious.
>
Imagine if the keyboard LED meant arbitrary code could run!!
What? I don't even understand what you are getting at. This has
nothing to do with faith in icons.
My statement was that windows defaults arguably represent a
vulnerability in the GUI
by making "proposal.doc" indistinguishable from "proposal.doc.exe with
a crafted icon",
when you are encouraged to double-click the icons through the GUI, and
when "doc" files
are supposed to be innocent to open. I was also stating the fact that
this vulnerability
should be addressed outside of the scope of the "DLL Hijacking" mess.
Cheers,
Charles
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists