lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BAY404-EAS4339F7C071E3472B878F150F2410@phx.gbl>
Date: Wed, 30 Apr 2014 18:05:50 -0400
From: Mike Cramer <mike.cramer@...look.com>
To: "'Alton Blom'" <altonius@...il.com>,
	"'Stefan Kanthak'" <stefan.kanthak@...go.de>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Beginners error: iTunes for Windows runs rogue program
	C:\Program.exe when opening associated files

I would like to know how this is a vulnerability.

In order to write to the root of C:\, you need elevated privileges in
Windows. Once someone gains elevated access, what does creating
"C:\program.exe" offer them that they couldn't otherwise obtain?

I have never actually seen malware take advantage of this, often times
leveraging Kernel hooks and driver loading.

It is unintended behavior, yes; but I'd consider it hardly a vulnerability.

-Mike

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf
Of Alton Blom
Sent: Wednesday, April 30, 2014 17:51
To: Stefan Kanthak
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Beginners error: iTunes for Windows runs rogue program
C:\Program.exe when opening associated files

Hi Stefan,

SANS had a good post on this a few years ago (
https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/1446
4),
which led to large number of services on windows machines with unquoted
paths being discovered and fixed.  At that time I discovered that Windows
Defender on Windows 7 had a problem like yours and reported it to Microsoft.
It took quite a while to get them to recognise it as a vulnerability, but it
eventually led to
https://technet.microsoft.com/en-us/library/security/ms13-058.aspx being
released and Windows Defender being updated.

At the same time I asked Tenable to create a plugin for Nessus that detects
vulnerable services which they quickly released (plugin 63155).  This in
turn led to a second round of vulnerable services being detected and patched
by vendors.

Also it's worth noting that OSVDB track these types of Vulns as
"Authentication Required, Not a Vulnerability"

Alton(ius)
altonblom.com


On Thu, May 1, 2014 at 5:02 AM, Stefan Kanthak
<stefan.kanthak@...go.de>wrote:

> Hi @ll,
>
> the current version of iTunes for Windows (and of course older 
> versions
> too) associates the following vulnerable command lines with some of 
> the supported file types/extensions:
>
> daap=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> itls=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> itms=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> itmss=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> itpc=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> itsradio=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> iTunes=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> iTunes.AssocProtocol.daap=C:\Program Files (x86)\iTunes\iTunes.exe 
> /url "%1"
> iTunes.AssocProtocol.itls=C:\Program Files (x86)\iTunes\iTunes.exe 
> /url "%1"
> iTunes.AssocProtocol.itms=C:\Program Files (x86)\iTunes\iTunes.exe 
> /url "%1"
> iTunes.AssocProtocol.itmss=C:\Program Files (x86)\iTunes\iTunes.exe 
> /url"%1"
> iTunes.AssocProtocol.itpc=C:\Program Files (x86)\iTunes\iTunes.exe 
> /url "%1"
> iTunes.AssocProtocol.pcast=C:\Program Files (x86)\iTunes\iTunes.exe 
> /url"%1"
> itunesradio=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
> pcast=C:\Program Files (x86)\iTunes\iTunes.exe /url "%1"
>
>
> The command line registered under
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\iTunes\shell\open\command]
> @="C:\Program Files\iTunes\iTunes.exe"
>
> shows the same beginners error too: an unquoted pathname allows the 
> execution of the rogue programs "C:\Program.exe" or "C:\Program Files.exe"
> instead of the intended executable.
>
>
> From <http://msdn.microsoft.com/library/cc144175.aspx>
> or <http://msdn.microsoft.com/library/cc144101.aspx>:
>
> | Note: If any element of the command string contains or might contain
>         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | spaces, it must be enclosed in quotation marks. Otherwise, if the
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | element contains a space, it will not parse correctly. For instance, 
> | "My Program.exe" starts the application properly. If you use My 
> | Program.exe without quotation marks, then the system attempts to 
> | launch My with Program.exe as its first command line argument. You 
> | should always use quotation marks with arguments such as "%1" that 
> | are expanded to strings by the Shell, because you cannot be certain 
> | that the string will not contain a space.
>
>
> "Long" filenames containing spaces exist for about 20 years in Windows.
> It's REALLY time that every developer and every QA engineer knows how 
> to handle them properly.
>
>
> If you detect such silly bugs: report them and get them fixed.
> If the vendor does not fix them: trash the trash!
>
>
> JFTR: this bugs only exists since Microsoft "masks" it.
>       See <http://msdn.microsoft.com/library/ms682425.aspx> for this
>       well-known idiosyncrasy:
>
> | For example, consider the string "c:\program files\sub dir\program
name".
> | This string can be interpreted in a number of ways.
> | The system tries to interpret the possibilities in the following order:
> | c:\program.exe files\sub dir\program name c:\program files\sub.exe 
> | dir\program name c:\program files\sub dir\program.exe name 
> | c:\program files\sub dir\program name.exe
>
>       Without this kludge this beginners error would get caught upon
>       the very first use of any of these command lines.
>
>
> Since every user account created during Windows setup has 
> administrative rights every user owning such an account can create the 
> rogue program, resulting in a privilege escalation.
>
> JFTR: no, the "user account control" is not a security boundary!
>
>
> regards
> Stefan Kanthak
>
>
> PS: for static detection of these silly beginners errors download and
>     run <http://home.arcor.de/skanthak/download/SLOPPY.CMD>
>
>     To catch all instances of this beginners error download
>     <http://home.arcor.de/skanthak/download/SENTINEL.CMD>,
>     <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and
>     <http://home.arcor.de/skanthak/download/SENTINEL.EXE>, then read
>     and run SENTINEL.CMD
>
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ