[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJB2JzusTQJsHA3_FTYFb=mn8Em7MPb5verBxwWWUcQvbwiV0w@mail.gmail.com>
Date: Mon, 5 Sep 2011 12:33:25 +0200
From: Mario Vilas <mvilas@...il.com>
To: paul.szabo@...ney.edu.au
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
DLL Hijacking
Paul,
Those file extensions correspond to scripts. If a file contains a script
that runs when the file is double clicked, and the scripting engine is not
sandboxed (meaning the script can do the same things an executable file can
do) then the attack is meaningless. You can simply have the script inside
the file do malicious things instead of planting a DLL.
Binary planting, regardless of the discussion about it being a
"vulnerability" or not, in any case only makes sense when the file only
contains static data, or when the file contains executable code that would
normally not have the same privileges as a standard executable file. (A
script that doesn't get executed when double clicking on it -for example if
a text editor is opened instead- would be the same case as in a data file).
I've never used .js or .jse scripts on Windows, but all the other extensions
are patently not sandboxed scripts. In fact, the Windows Script Host
software is mostly used to write system maintenance scripts, so it's obvious
its scripts can't be restricted or they'd be useless. I'm guessing the same
applies to .js and .jse then, and of course I wouldn't mind seeing proof
that it doesn't. However the links you provided don't really prove anything
(the first one even says "this is not a complete list", and I admit I've
only glanced the second one but it seems unrelated, as it applies to file
transfers on Microsoft Sharepoint).
Planting a DLL file to be executed at the same time as other executable file
is just a convoluted way of doing the same thing. It *may* be used in some
strange, artificial situations, but I'm not convinced there aren't better
ways to do it, and in any case it doesn't justify an advisory. And judging
from what the timeline reads, I believe Microsoft simply ignored this one.
I hope my explanation helped :)
-Mario
On Mon, Sep 5, 2011 at 12:54 AM, <paul.szabo@...ney.edu.au> wrote:
> > Application: wscript.exe
> > Extensions: js, jse, vbe, vbs, wsf, wsh
> > Library: wshesn.dll
>
> Many people commented that the above extensions are "executable"
> already, so are (should be) treated with caution, or that they
> can be trojaned directly without any DLL load shenanigans.
>
> However... looking at
> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
>
> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
> I do not see JS listed as executable, though JSE is listed.
>
> Looking at
> http://msdn.microsoft.com/en-us/library/ms722429.aspx
> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
> machine, none of the above extensions are "designated".
>
> Maybe DLL hijacking is useful for some of these file types, after all?
>
> Cheers, Paul
>
> Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists