[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Sep 2010 21:32:30 -0500
From: jf <jf@...co.net>
To: Christian Sciberras <uuf6429@...il.com>,
full-disclosure@...ts.grok.org.uk, lists@...g.net
Subject: Re: KeePass version 2.12 <= Insecure DLL
Hijacking Vulnerability (dwmapi.dll)
> > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
> > with latest windows updates applied (as of Today -sept 09 2010).
> Could be a virus/trojan from my XP machine might have caused some form
> of immunity against this issue?
> And perhaps my extensive meddling and customization somehow modify the
> Windows 7 install beyond normal limits?
> I very much doubt this. I used both bitness demos for what it's worth.
>
I can confirm the demo worked as expected; first shot on an up-to-date auto-patched win7 box.
That said, I did a quick search to see if I had a local copy of wab32res.dll (dunno what the dll in the subject line is about, the DLL in question is wab32res.dll), and I did not. I wrote a quick DLL with a simple MessageBoxA() into the Windows directory and tested it again and got a pop up informing me I am about to import an address book (versus their lolhacked popup). If I had to take a stab at it, judging by this comment:
> One last thing, rather than just running a random POC I've actually
> looked into what's going on, via Process Monitor, and as far as it's
> concerned, it always loaded the correct (ie, the original) dlls.
my guess would be that one of you has a copy of the DLL in the DLL search path (which *doesnt* include . until the second to last stage by default), and one of you does not.
..De asini vmbra disceptare.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists