lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 8 Sep 2010 21:32:30 -0500
From: jf <jf@...co.net>
To: Christian Sciberras <uuf6429@...il.com>,
	full-disclosure@...ts.grok.org.uk, lists@...g.net
Subject: Re: KeePass version 2.12 <= Insecure DLL
 Hijacking Vulnerability (dwmapi.dll)

> > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
> > with latest windows updates applied (as of Today -sept 09 2010).
> Could be a virus/trojan from my XP machine might have caused some form
> of immunity against this issue?
> And perhaps my extensive meddling and customization somehow modify the
> Windows 7 install beyond normal limits?
> I very much doubt this. I used both bitness demos for what it's worth.
> 

I can confirm the demo worked as expected; first shot on an up-to-date auto-patched win7 box.
That said, I did a quick search to see if I had a local copy of wab32res.dll (dunno what the dll in the subject line is about, the DLL in question is wab32res.dll), and I did not. I wrote a quick DLL with a simple MessageBoxA() into the Windows directory and tested it again and got a pop up informing me I am about to import an address book (versus their lolhacked popup). If I had to take a stab at it, judging by this comment:

> One last thing, rather than just running a random POC I've actually
> looked into what's going on, via Process Monitor, and as far as it's
> concerned, it always loaded the correct (ie, the original) dlls.

my guess would be that one of you has a copy of the DLL in the DLL search path (which *doesnt* include . until the second to last stage by default), and one of you does not. 

..De asini vmbra disceptare.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ