[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAExQ7uLzjwcv_N6bOgTuyahoAs9mckjqbmE58fyO9LhGzON_tQ@mail.gmail.com>
Date: Sat, 31 Aug 2013 11:20:47 -0500
From: adam <adam@...sy.net>
To: hardfalcon@...dfalcon.net
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Defense in depth -- the Microsoft way (part
9): erroneous documentation
I'm on the same page as Pascal, what is the point of this? The part
that really stands out for me is how Microsoft is being singled out
here. If it's about their documentation, then it's not really about a
vulnerability. If it's NOT about their documentation, then you'd be
hard pressed to find a platform that _doesn't_ work this way.
On Sat, Aug 31, 2013 at 8:37 AM, <hardfalcon@...dfalcon.net> wrote:
> I am truly shocked that seemingly, stuff like this needs to be said in
> the year of 2013. I'd have supposed that things like these should be
> known by *anyone* doing anything even remotely similar to software
> development *at least* since the end of the 8.3 filename era 15 years
> ago. Are you sure this is real and not a prank? o_O
>
> regards
> Pascal Ernster
>
>
> On 31.08.2013 12:58, Stefan Kanthak wrote:
>> Hi,
>>
>> in <http://seclists.org/fulldisclosure/2013/Aug/75> I documented
>> beginners errors (unquoted pathnames containing spaces) not only
>> in Microsoft products.
>>
>> Microsofts developer documentation but shows these beginners errors
>> too (and is inconsistent, even in single topics).
>>
>> Examples:
>>
>> <http://msdn.microsoft.com/library/cc144171.aspx>
>>
>> | HKEY_CLASSES_ROOT
>> | txtile
>> ...
>> | Shell
>> ...
>> | cmd2
>> ...
>> | command
>> | (Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~
>>
>> <http://msdn.microsoft.com/library/bb165967.aspx>
>>
>> | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
>> | @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \"%1\""
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
>> | @="\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\" \"%1\""
>>
>>
>> <http://msdn.microsoft.com/library/cc144083.aspx>
>>
>> | HKEY_LOCAL_MACHINE
>> | SOFTWARE
>> | Classes
>> | contoso-search
>> | shell
>> | open
>> | command
>> | (Default) = "%ProgramFiles%\Contoso\Search\contososearch.exe %1"
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~
>>
>> <http://msdn.microsoft.com/library/cc144154.aspx>
>>
>> | HKEY_LOCAL_MACHINE
>> | SOFTWARE
>> | Classes
>> | LitwarePlayer11.AssocFile....
>> ...
>> | shell
>> | open
>> | command
>> | (Default) = %ProgramFiles%\Litware\litware.exe
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> <http://msdn.microsoft.com/library/hh127450.aspx>
>>
>> | HKEY_CLASSES_ROOT
>> | CLSID
>> | {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
>> | Shell
>> | Open
>> | Command
>> | (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>> <http://msdn.microsoft.com/library/cc144188.aspx>
>>
>> | <sh:task id="{3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}">
>> | <!-- This is a generated GUID, specific to this task link -->
>> | <sh:name>@myTextResources.dll,-100</sh:name>
>> | <sh:keywords>@myTextResources.dll,-101</sh:keywords>
>> | <sh:command>%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe</sh:command>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> | </sh:task>
>>
>>
>> Example with ambiguous/inconsistent use of quotes:
>>
>> <http://msdn.microsoft.com/en-us/library/aa767914.aspx>
>>
>> | HKEY_CLASSES_ROOT
>> | alert
>> | (Default) = "URL:Alert Protocol"
>> ^ ^
>> | URL Protocol = ""
>> ^^
>> | DefaultIcon
>> | (Default) = "alert.exe,1"
>> ^ ^
>> | shell
>> | open
>> | command
>> | (Default) = "C:\Program Files\Alert\alert.exe" "%1"
>>
>>
>> Counterexamples:
>>
>> <http://msdn.microsoft.com/library/cc144175.aspx>
>> <http://msdn.microsoft.com/library/cc144101.aspx>
>>
>> | Note: If any element of the command string contains or might contain
>> | spaces, it must be enclosed in quotation marks. Otherwise, if the
>> | element contains a space, it will not parse correctly. For instance,
>> | "My Program.exe" starts the application properly. If you use
>> | My Program.exe without quotation marks, then the system attempts to
>> | launch My with Program.exe as its first command line argument. You
>> | should always use quotation marks with arguments such as "%1" that are
>> | expanded to strings by the Shell, because you cannot be certain that
>> | the string will not contain a space.
>>
>>
>> <http://msdn.microsoft.com/library/dd203067.aspx>
>> <http://msdn.microsoft.com/library/cc144109.aspx>
>>
>>
>> regards
>> Stefan Kanthak
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists