| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 May 2014 18:26:09 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: "Tavis Ormandy" <taviso-1TlbntoI6+xF6kxbq+BtvQ@...lic.gmane.org> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe "Tavis Ormandy" <taviso-1TlbntoI6+xF6kxbq+BtvQ@...lic.gmane.org> wrote: > "Stefan Kanthak" <stefan.kanthak-i47jiTeKxPI@...lic.gmane.org> wrote: > >> Hi @ll, >> >> several programs of the current Windows 7 driver software for the "HP >> OfficeJet 6700" multifunction device execute a rogue program >> C:\Program.exe >> >> > > It sounds like a bug, but why is this a security issue? It's a DoS too. But in the first hand its just AWFUL BAD coding and SLOPPY QA: "long" filenames with embedded spaces exist for more than 20 years in Windows, but some paid dimwits in companies like HP, Microsoft, McAfee, Synaptics, ... still dont get their code right. > I can only imagine two possible scenarios > > 1. You've somehow made the root parition FAT32, in which case you're using a > non-securable filesystem; Therefore not a security issue. > 2. You've set a bad ACL on the root directory, therefore user error. 3. You think Windows' "user account control" is a security boundary. UAC is but NOT a security boundary: <http://technet.microsoft.com/magazine/2007.06.uac.aspx> | Elevations and Security Boundaries ... <http://support.microsoft.com/kb/2526083> | Same-desktop Elevation in UAC is not a security boundary and can be hijacked | by unprivileged software that runs on the same desktop. Same-desktop | Elevation should be considered a convenience feature, and from a security | perspective, "Protected Administrator" should be considered the equivalent | of "Administrator." <http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx> | It should be clear then, that neither UAC elevations nor Protected Mode IE | define new Windows security boundaries. Microsoft has been communicating | this but I want to make sure that the point is clearly heard. <http://download.microsoft.com/download/0/e/9/0e922c03-8537-482f-b57c-aa385b3dee20/Security_Best_Practice_Guidance_for_Consumers.doc > | It's very important to remember that UAC prompts are not a security boundary | - they don't offer direct protection. > If you believe otherwise, please post details, as that would be an > interesting discovery. Every user account created during Windows setup is an administrator account, so every user can create C:\Program.exe Microsoft tries to sell "defense in depth" to their customers since they started their "trustworthy computing" about 13 years ago. But they still create administrator accounts during Windows setup, CreateProcess() still has the idiosyncrazy to execute C:\Program.exe, and the WHQL certification still let drivers pass which execute C:\Program.exe during installation and operation. This bad practice then yields software like the HP drivers. regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists