| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Sep 2010 08:18:42 +0200 From: Christian Sciberras <uuf6429@...il.com> To: YGN Ethical Hacker Group <lists@...g.net> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, paul.szabo@...ney.edu.au Subject: Re: KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll) > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit > with latest windows updates applied (as of Today -sept 09 2010). Could be a virus/trojan from my XP machine might have caused some form of immunity against this issue? And perhaps my extensive meddling and customization somehow modify the Windows 7 install beyond normal limits? I very much doubt this. I used both bitness demos for what it's worth. > Should I make movie to prove that like Up till step 2 everything went fine. Step 3 went a little differently - wab.exe opened, but no popup box opened with it. Considering Acros highlighted how their POC was highly unstable (they've frequently advised to try the program several times to get it to work) I don't see such abnormal behaviour out of this world. One last thing, rather than just running a random POC I've actually looked into what's going on, via Process Monitor, and as far as it's concerned, it always loaded the correct (ie, the original) dlls. Cheers, Chris. On Thu, Sep 9, 2010 at 7:40 AM, YGN Ethical Hacker Group <lists@...g.net> wrote: > I must say I can't take your word according to my testing. > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit > with latest windows updates applied (as of Today -sept 09 2010). I > used Acros Security's 64 bit demo. > > Should I make movie to prove that like > 1- Updating Windows (check for updates) , > 2 - Go to \\www.binaryplanting.com\demo\windows_address_book_64 > 3 - See the popup box > > ? > > > > > > > > On Thu, Sep 9, 2010 at 7:44 AM, Christian Sciberras <uuf6429@...il.com> wrote: >> That is what others said, yet it installed automatically on mine. >> The only interaction was that I allowed it to be downloaded and >> installed....not really geeky at all... >> >> I must say you'll have to take my word on it. >> >> >> >> >> On Thu, Sep 9, 2010 at 1:36 AM, <paul.szabo@...ney.edu.au> wrote: >>> Christian Sciberras <uuf6429@...il.com> wrote: >>> >>>>>> MS issued a patch quite some time ago. >>>> http://support.microsoft.com/kb/2264107 >>> >>> That is not a "patch", not installed by default: is only for >>> uber-geeks who manually install it. Was issued a week ago, in >>> response to this kerfuffle, not "quite some time ago". >>> >>> Which setting of CWDIllegalInDllSearch did you choose: was it >>> 0xFFFFFFFF which may be "safe", but is known to break Outlook >>> (and others), as noted in >>> >>> DLL hijacking vulnerabilities >>> http://isc.sans.edu/diary.html?storyid=9445 >>> >>> (geeks can add further tweaks to the registry to fix). >>> >>> Cheers, Paul >>> >>> Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ >>> School of Mathematics and Statistics University of Sydney Australia >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists