lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <EC43A9D8E15A4FD1A7B169C7BAD22C19@celsius>
Date: Sat, 31 Aug 2013 12:58:40 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Defense in depth -- the Microsoft way (part 9):
	erroneous documentation

Hi,

in <http://seclists.org/fulldisclosure/2013/Aug/75> I documented
beginners errors (unquoted pathnames containing spaces) not only
in Microsoft products.

Microsofts developer documentation but shows these beginners errors
too (and is inconsistent, even in single topics).

Examples:

<http://msdn.microsoft.com/library/cc144171.aspx>

| HKEY_CLASSES_ROOT
|   txtile
...
|               Shell
...
|                  cmd2
...
|                     command
|                        (Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1
                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~

<http://msdn.microsoft.com/library/bb165967.aspx>

| [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
| @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \"%1\""
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
| @="\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\" \"%1\""


<http://msdn.microsoft.com/library/cc144083.aspx>

| HKEY_LOCAL_MACHINE
|   SOFTWARE
|      Classes
|         contoso-search
|            shell
|               open
|                  command
|                     (Default) = "%ProgramFiles%\Contoso\Search\contososearch.exe %1"
                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~

<http://msdn.microsoft.com/library/cc144154.aspx>

| HKEY_LOCAL_MACHINE
|   SOFTWARE
|      Classes
|         LitwarePlayer11.AssocFile....
...
|            shell
|               open
|                  command
|                     (Default) = %ProgramFiles%\Litware\litware.exe
                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<http://msdn.microsoft.com/library/hh127450.aspx>

| HKEY_CLASSES_ROOT
|   CLSID
|      {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
|         Shell
|            Open
|               Command
|                  (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings
                                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


<http://msdn.microsoft.com/library/cc144188.aspx>

| <sh:task id="{3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}"> 
|    <!-- This is a generated GUID, specific to this task link -->
|    <sh:name>@myTextResources.dll,-100</sh:name>
|    <sh:keywords>@myTextResources.dll,-101</sh:keywords>
|    <sh:command>%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe</sh:command>
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| </sh:task>


Example with ambiguous/inconsistent use of quotes:

<http://msdn.microsoft.com/en-us/library/aa767914.aspx>

| HKEY_CLASSES_ROOT
|   alert
|      (Default) = "URL:Alert Protocol"
                   ^                  ^
|      URL Protocol = ""
                      ^^
|      DefaultIcon
|         (Default) = "alert.exe,1"
                      ^           ^
|      shell
|         open
|            command
|               (Default) = "C:\Program Files\Alert\alert.exe" "%1"


Counterexamples:

<http://msdn.microsoft.com/library/cc144175.aspx>
<http://msdn.microsoft.com/library/cc144101.aspx>

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.


<http://msdn.microsoft.com/library/dd203067.aspx>
<http://msdn.microsoft.com/library/cc144109.aspx>


regards
Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ