lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTi=ZSVhxd2TfrttHDgPZzwx8CJditYxF_+eay2Zx@mail.gmail.com>
Date: Thu, 9 Sep 2010 12:52:32 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Mitja Kolsek <mitja.kolsek@...ossecurity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	paul.szabo@...ney.edu.au
Subject: Re: KeePass version 2.12 <= Insecure DLL
 Hijacking Vulnerability (dwmapi.dll)

> Bwt, you can simply turn our Internet-based test into an intranet or local test by
> copying the files to your local share or a folder on your computer and double-click
> the .wab file from there. The usual caution with runnning code from unknown sources
> applies, of course.

I did better, I wrote my own test, which just like your test, it
failed proving the vulnerability.
The only difference was that I knew what was going wrong and tried to
get it to work in all ways possible;
it only seemed to work when the right possible wasn't anywhere near
the running executable (or system directories).

Unless the whole point of the vulnerability was to exploit non-existent dlls??

> Can you please send the Process Monitor log for this case? We'll be happy to look
> into your case.

Sure, fine by me.


Regards,
Chris.



On Thu, Sep 9, 2010 at 12:32 PM, Mitja Kolsek
<mitja.kolsek@...ossecurity.com> wrote:
> Hi Chris,
>
>> Considering Acros highlighted how their POC was highly
>> unstable (they've frequently advised to try the program
>> several times to get it to work) I don't see such abnormal
>> behaviour out of this world.
>
> Indeed, we're seeing problems with accessing (any) remote WebDAV shares from various
> Windows computers, while it works just great on others. Based on network monitoring,
> it doesn't seem to be the problem with the server though, but rather with occasionaly
> unreliable support for WebDAV folders in Windows. We're looking for possible causes
> and especially for workarounds that could improve the reliability.
>
> We'll appreciate your feedback - tell us how it worked or didn't work for you. It's a
> chance for us all to learn something new.
>
> Bwt, you can simply turn our Internet-based test into an intranet or local test by
> copying the files to your local share or a folder on your computer and double-click
> the .wab file from there. The usual caution with runnning code from unknown sources
> applies, of course.
>
>> One last thing, rather than just running a random POC I've
>> actually looked into what's going on, via Process Monitor,
>> and as far as it's concerned, it always loaded the correct
>> (ie, the original) dlls.
>
> Can you please send the Process Monitor log for this case? We'll be happy to look
> into your case.
>
> Cheers,
>
> Mitja Kolsek
> CEO&CTO
>
> ACROS, d.o.o.
> Makedonska ulica 113
> SI - 2000 Maribor, Slovenia
> tel: +386 2 3000 280
> fax: +386 2 3000 282
> web: http://www.acrossecurity.com
>
> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ