| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 3 Sep 2011 11:15:50 +1000
From: GloW - XD <doomxd@...il.com>
To: Mario Vilas <mvilas@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
DLL Hijacking
I must agree, considering i have yet to see it used in even botnet circles,
who would surely have used a decent local exploit if it was 'decent'... I
know this dll hijacking, has gone unpassed to the community in general
because of its useless ness.
I agree completely, i never have seen this actively exploited, nor part of a
decent framework where it can be used in a remote or local session
Basically, it is something to wich i read the PDF on, and thought "here is
the most useless 'exploit' as it was being called , i have ever, laid eyes
on" , my opinion still has yet to be changed by any factor, there could be
many factors, ie: exploitation even in the wild reported, or just someone
saying "hey dont forget blah.c!" , but this aint happened, nor will... "hey
wanna read msdn and look and see how a lib is loaded" would make more sense.
I still dont see anything 'good' in this whole fiasco of the dll hijacking.
no active code/poc. etc etc etc.... as i said, many factors id reconsider my
stance on...
anyhow, enjoyable topic.
xd
On 3 September 2011 11:03, Mario Vilas <mvilas@...il.com> wrote:
> I disagree. If this so called "vulnerability" had any added value in terms
> of social engineering, it would actually make sense to report it. Social
> engineering isn't "bad", I really don't care how "leet" it is. My claim is
> simpler: this advisory makes no sense at all, because it replaces an easy
> way of exploitation for a hard way of exploitation, so its added value is
> actually *negative* for the attacker.
>
> Most likely whoever found this is new in the infosec world and never
> stopped to consider this details - he/she just blindly repeated what the dll
> injection crowd was doing and posted whatever results were found, without
> understanding really well what was going on.
>
> And THAT is the state of infosec today. People who report stuff for the
> sake of reporting, without really understanding how things work or why.
>
> On Fri, Sep 2, 2011 at 11:46 PM, <Valdis.Kletnieks@...edu> wrote:
>
>> On Fri, 02 Sep 2011 20:55:35 -0000, "Thor (Hammer of God)" said:
>>
>> > LOL. "Warning, if you get the user to execute code, then it is possible
>> to
>> > get the user to execute code!! All you have to do is get files on their
>> > system, and then get them to execute those files! Note that once you
>> get the
>> > user to execute the code, it will actually run in the context of that
>> user!!
>> > This is remote code execution vulnerability!"
>>
>> > Welcome to today's Infosec!
>>
>> The sad part is that this is the future of infosec as well. Microsoft got
>> the
>> security religion a few years back, and even I have to admit their current
>> stuff
>> isn't that bad at all. The various Linux distros are (slowly) getting
>> their
>> acts together, and maybe even Apple and Adobe will see the light sometime
>> reasonably soon. Yes, there will still be software failures - but once the
>> effort
>> of finding a new 0-day reaches a certain point, the economics change....
>>
>> And once that happens, social engineering will become an even bigger part
>> of
>> both the attack and defense sides of infosec. For the black hats, the
>> cost/
>> benefit of looking for effective 0-day holes will continue to drop, while
>> the
>> cost/benefit of phishing a user will remain steady - so that's a push
>> towards
>> more social engineering. Why go to the effort of spending 3 months finding
>> a
>> browser bug that allows you to push malware to the victim's machine, when
>> you
>> can just spend 45 minutes creating a "Your machine is infected - click
>> here to
>> fix it" pop-up that will catch 80% of the people?
>>
>> Meanwhile, as the software gets more hardened and patching is more
>> automated,
>> the white hats will find a bigger percent of their time is spent defending
>> their systems from attacks triggered by their own users. Because the
>> failure
>> rate of people's brains is already about 4.7*10**9 times as high as the
>> software failure rate, and the ratio is only getting worse - software is
>> improving, people aren't.
>>
>> Prediction 1: 10 years from now, organized crime will be hiring cognitive
>> psychologists to help design more effective phish the way they currently
>> hire
>> programmers to write better spambots.
>>
>> Prediction 2: It ain't gonna get better till the average IQ starts going
>> up faster
>> than the software improves.
>>
>>
>
>
> --
> “There's a reason we separate military and the police: one fights the enemy
> of the state, the other serves and protects the people. When the military
> becomes both, then the enemies of the state tend to become the people.”
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists