lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <D89D5E50D3A742B98485F8356BA7EC65@celsius>
Date: Thu, 1 May 2014 00:00:19 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Gynvael Coldwind" <gynvael@...dwind.pl>
Cc: fulldisclosure <fulldisclosure@...lists.org>, bugtraq@...urityfocus.com
Subject: Re: [FD] Beginners error: iTunes for Windows runs rogue program
	C:\Program.exe when opening associated files

"Gynvael Coldwind" <gynvael@...dwind.pl> wrote:

> Well spotted.

Thanks.
It's but a shame that such silly beginners errors are still present in
current software.

I didn't bother to look specifically for it since my "customers" and I
used german versions of Windows NT5.x until now, where %ProgramFiles%
is C:\Programme, without a space.

I also installed mal^Wsoftware like Microsoft Office or Mozilla Firefox
not into their default locations %ProgramFiles%\Microsoft Office or
%ProgramFiles%\Mozilla Firefox, but used C:\Programme\Microsoft\Office
resp. C:\Programme\Mozilla\Firefox instead to mitigate such errors.

> That said, don't you have to be an admin to be able to create files in
> these directories anyway?

Yes. But I mentioned that:

| Since every user account created during Windows setup has administrative
| rights every user owning such an account can create the rogue program,
| resulting in a privilege escalation.
|
| JFTR: no, the "user account control" is not a security boundary!

Of course an administrator has many more ways to run a program under
another user account. But this one is for dummies.

> So this is only exploitable on FAT, or by admin, or if the ACLs are
> set incorrectly right?

Correct (but FAT cant be used any more for the boot partition of Windows
Vista and later).

These silly beginners errors but show that neither the developers nor
their QA are doing their jobs well.-(
And if they did not spot such simple errors, what about the "real" bugs?

Unfortunately Apple is not the only culprit.

Some WHQL-signed drivers run C:\Program.exe under "LocalSystem" account
during their installation ($VENDOR, you know who you are, I reported this
bug some years ago, and you did not react at all), quite some application
packages of major companies install services running under "LocalSystem"
account with ImagePath=C:\Program Files\... or COM-out-of-process servers
with LocalServer32=C:\Program Files\..., and installer creators like NSIS
MSI or InstallShield dont help their users to avoid this silly beginners
error (see <http://seclists.org/fulldisclosure/2013/May/14> and
<http://seclists.org/fulldisclosure/2013/May/37> for just the tip of the
iceberg).

"navigare^Wsoftware engineering necesse est!"

regards
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ