lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 05 Sep 2011 14:45:41 -0300
From: root <root_@...ertel.com.ar>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
 DLL Hijacking

I agree, in some remote scenario this may work, but doesn't justify an
advisory.

Off-topic:

First Insect PRO, and now this?
What's happening fellow Latin-americans? our standards are falling.
Please behave, this is the Internet!





On 09/05/2011 07:33 AM, Mario Vilas wrote:
> Paul,
> 
> Those file extensions correspond to scripts. If a file contains a script
> that runs when the file is double clicked, and the scripting engine is not
> sandboxed (meaning the script can do the same things an executable file can
> do) then the attack is meaningless. You can simply have the script inside
> the file do malicious things instead of planting a DLL.
> 
> Binary planting, regardless of the discussion about it being a
> "vulnerability" or not, in any case only makes sense when the file only
> contains static data, or when the file contains executable code that would
> normally not have the same privileges as a standard executable file. (A
> script that doesn't get executed when double clicking on it -for example if
> a text editor is opened instead- would be the same case as in a data file).
> 
> I've never used .js or .jse scripts on Windows, but all the other extensions
> are patently not sandboxed scripts. In fact, the Windows Script Host
> software is mostly used to write system maintenance scripts, so it's obvious
> its scripts can't be restricted or they'd be useless. I'm guessing the same
> applies to .js and .jse then, and of course I wouldn't mind seeing proof
> that it doesn't. However the links you provided don't really prove anything
> (the first one even says "this is not a complete list", and I admit I've
> only glanced the second one but it seems unrelated, as it applies to file
> transfers on Microsoft Sharepoint).
> 
> Planting a DLL file to be executed at the same time as other executable file
> is just a convoluted way of doing the same thing. It *may* be used in some
> strange, artificial situations, but I'm not convinced there aren't better
> ways to do it, and in any case it doesn't justify an advisory. And judging
> from what the timeline reads, I believe Microsoft simply ignored this one.
> 
> I hope my explanation helped :)
> -Mario
> 
> On Mon, Sep 5, 2011 at 12:54 AM, <paul.szabo@...ney.edu.au> wrote:
> 
>>> Application: wscript.exe
>>> Extensions: js, jse, vbe, vbs, wsf, wsh
>>> Library: wshesn.dll
>>
>> Many people commented that the above extensions are "executable"
>> already, so are (should be) treated with caution, or that they
>> can be trojaned directly without any DLL load shenanigans.
>>
>> However... looking at
>> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
>>
>> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
>> I do not see JS listed as executable, though JSE is listed.
>>
>> Looking at
>> http://msdn.microsoft.com/en-us/library/ms722429.aspx
>> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
>> machine, none of the above extensions are "designated".
>>
>> Maybe DLL hijacking is useful for some of these file types, after all?
>>
>> Cheers, Paul
>>
>> Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
>> School of Mathematics and Statistics   University of Sydney    Australia
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ