lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <A0666840-9899-4221-8A03-66DBCF667AA0@zero-internet.org.uk>
Date: Mon, 5 Sep 2011 01:43:33 +0100
From: James Condron <james@...o-internet.org.uk>
To: paul.szabo@...ney.edu.au
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
	DLL Hijacking

Paul,

I only run windows on one machine, my workstation in the office, so my results aren't indicative of every system- indeed this may be a quirk of our AD, in which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, but both extensions you list were executable.

Admittedly I haven't checked all of the others yet, mileage may vary.

Either way there is no accounting for taste; some cases will make this less an attack in and of its self and more will show this as a further social engineering payload, albeit one which requires tricking someone to download several layers of code and still executing it.

On 4 Sep 2011, at 23:54, paul.szabo@...ney.edu.au wrote:

>> Application: wscript.exe
>> Extensions: js, jse, vbe, vbs, wsf, wsh
>> Library: wshesn.dll
> 
> Many people commented that the above extensions are "executable"
> already, so are (should be) treated with caution, or that they
> can be trojaned directly without any DLL load shenanigans.
> 
> However... looking at
> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
> I do not see JS listed as executable, though JSE is listed.
> 
> Looking at
> http://msdn.microsoft.com/en-us/library/ms722429.aspx
> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
> machine, none of the above extensions are "designated".
> 
> Maybe DLL hijacking is useful for some of these file types, after all?
> 
> Cheers, Paul
> 
> Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney    Australia
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists