[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTi=oJ2h3n1x7gOL9FJKcBav-M4efaf3T+g8DGfKL@mail.gmail.com>
Date: Thu, 9 Sep 2010 12:53:49 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Mitja Kolsek <mitja.kolsek@...ossecurity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
paul.szabo@...ney.edu.au
Subject: Re: KeePass version 2.12 <= Insecure DLL
Hijacking Vulnerability (dwmapi.dll)
* replace my later "possible" with "dll" (to hell with distractions!)
Cheers,
Chris.
On Thu, Sep 9, 2010 at 12:52 PM, Christian Sciberras <uuf6429@...il.com> wrote:
>> Bwt, you can simply turn our Internet-based test into an intranet or local test by
>> copying the files to your local share or a folder on your computer and double-click
>> the .wab file from there. The usual caution with runnning code from unknown sources
>> applies, of course.
>
> I did better, I wrote my own test, which just like your test, it
> failed proving the vulnerability.
> The only difference was that I knew what was going wrong and tried to
> get it to work in all ways possible;
> it only seemed to work when the right possible wasn't anywhere near
> the running executable (or system directories).
>
> Unless the whole point of the vulnerability was to exploit non-existent dlls??
>
>> Can you please send the Process Monitor log for this case? We'll be happy to look
>> into your case.
>
> Sure, fine by me.
>
>
> Regards,
> Chris.
>
>
>
> On Thu, Sep 9, 2010 at 12:32 PM, Mitja Kolsek
> <mitja.kolsek@...ossecurity.com> wrote:
>> Hi Chris,
>>
>>> Considering Acros highlighted how their POC was highly
>>> unstable (they've frequently advised to try the program
>>> several times to get it to work) I don't see such abnormal
>>> behaviour out of this world.
>>
>> Indeed, we're seeing problems with accessing (any) remote WebDAV shares from various
>> Windows computers, while it works just great on others. Based on network monitoring,
>> it doesn't seem to be the problem with the server though, but rather with occasionaly
>> unreliable support for WebDAV folders in Windows. We're looking for possible causes
>> and especially for workarounds that could improve the reliability.
>>
>> We'll appreciate your feedback - tell us how it worked or didn't work for you. It's a
>> chance for us all to learn something new.
>>
>> Bwt, you can simply turn our Internet-based test into an intranet or local test by
>> copying the files to your local share or a folder on your computer and double-click
>> the .wab file from there. The usual caution with runnning code from unknown sources
>> applies, of course.
>>
>>> One last thing, rather than just running a random POC I've
>>> actually looked into what's going on, via Process Monitor,
>>> and as far as it's concerned, it always loaded the correct
>>> (ie, the original) dlls.
>>
>> Can you please send the Process Monitor log for this case? We'll be happy to look
>> into your case.
>>
>> Cheers,
>>
>> Mitja Kolsek
>> CEO&CTO
>>
>> ACROS, d.o.o.
>> Makedonska ulica 113
>> SI - 2000 Maribor, Slovenia
>> tel: +386 2 3000 280
>> fax: +386 2 3000 282
>> web: http://www.acrossecurity.com
>>
>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>>
>>
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists