lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <025A7C916E954B7391380D01AFB2C239@celsius>
Date: Wed, 28 May 2014 23:07:55 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 15): unquoted
	arguments in 120 (of 462) command lines

Hi @ll,

for MANY years now Microsofts own documentation for CreateProcess*()
<http://msdn.microsoft.com/library/cc144175.aspx> resp.
<http://msdn.microsoft.com/library/cc144101.aspx> says:

| Note: If any element of the command string contains or might contain
                                                      ~~~~~~~~~~~~~~~~
| spaces, it must be enclosed in quotation marks.
             ~~~~

Additionally "Registering an Application to a URI Scheme"
<http://msdn.microsoft.com/library/aa767914.aspx> shows:

| HKEY_CLASSES_ROOT
|   alert
|      (Default) = "URL:Alert Protocol"
|      URL Protocol = ""
|      DefaultIcon
|         (Default) = "alert.exe,1"
|      shell
|         open
|            command
|               (Default) = "C:\Program Files\Alert\alert.exe" "%1"
                                                               ~~~~
...
| To mitigate this issue:
| * Avoid spaces, quotes, or backslashes in your URI
| * Quote the %1 in the registration ("%1" as written in the 'alert' example
|   registration)


Let's take a look at the registry of Windows 8.1 (as it comes on the DVD
available from <http://technet.microsoft.com/evalcenter/hh699156.aspx>,
inside the \sources\install.wim):

[HKEY_CLASSES_ROOT\Application.Manifest\shell\open\command]
@="\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\dfshim.dll\",ShOpenVerbApplication %1"

[HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\Applications\photoviewer.dll\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\Applications\photoviewer.dll\shell\print\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\batfile\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\batfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\CABFolder\Shell\Open\Command]
@=expand:"%SystemRoot%\\Explorer.exe /idlist,%I,%L"

[HKEY_CLASSES_ROOT\CATFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCAT %1"

[HKEY_CLASSES_ROOT\CERFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddCER %1"

[HKEY_CLASSES_ROOT\CERFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER %1"

[HKEY_CLASSES_ROOT\CertificateStoreFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenSTR %1"

[HKEY_CLASSES_ROOT\chm.file\shell\open\command]
@=expand:\\""%SystemRoot%\\hh.exe\" %1"

[HKEY_CLASSES_ROOT\cmdfile\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\cmdfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\CompressedFolder\shell\Open\Command]
@=expand:"%SystemRoot%\\Explorer.exe /idlist,%I,%L"

[HKEY_CLASSES_ROOT\CRLFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddCRL %1"

[HKEY_CLASSES_ROOT\CRLFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCRL %1"

[HKEY_CLASSES_ROOT\desktopthemepackfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\themecpl.dll,OpenThemeAction %1"

[HKEY_CLASSES_ROOT\Drive\shell\change-passphrase\command]
@=expand:"%SystemRoot%\\system32\\bdechangepin.exe -pw %1"

[HKEY_CLASSES_ROOT\Drive\shell\unlock-bde\command]
@=expand:"%SystemRoot%\\system32\\bdeunlock.exe %1"

[HKEY_CLASSES_ROOT\Explorer.AssocProtocol.search-ms\shell\open\command]
@=expand:"%SystemRoot%\\Explorer.exe /separate,/idlist,%I,%L"

[HKEY_CLASSES_ROOT\fonfile\shell\preview\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe %1"

[HKEY_CLASSES_ROOT\fonfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe /p %1"

[HKEY_CLASSES_ROOT\ftp\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\giffile\shell\Open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\hlpfile\shell\open\command]
@=expand:"%SystemRoot%\\winhlp32.exe %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\https\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\icofile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.HTM\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.HTM\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.MHT\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.MHT\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.PARTIAL\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.SVG\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.SVG\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.URL\Shell\Open\Command]
@="\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\ieframe.dll\",OpenURL %l"

[HKEY_CLASSES_ROOT\IE.AssocFile.XHT\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.AssocFile.XHT\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.FTP\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.HTTP\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\IE.HTTPS\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\inffile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\inffile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\inifile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\inifile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\InternetShortcut\shell\Open\Command]
@="\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\ieframe.dll\",OpenURL %l"

[HKEY_CLASSES_ROOT\jpegfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\JSEFile\Shell\Edit\Command]
@="C:\\Windows\\system32\\Notepad.exe %1"

[HKEY_CLASSES_ROOT\JSEFile\Shell\Print\Command]
@="C:\\Windows\\system32\\Notepad.exe /p %1"

[HKEY_CLASSES_ROOT\JSFile\Shell\Edit\Command]
@="C:\\Windows\\system32\\Notepad.exe %1"

[HKEY_CLASSES_ROOT\JSFile\Shell\Print\Command]
@="C:\\Windows\\system32\\Notepad.exe /p %1"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\MSDASC\shell\open\command]
@=expand:"Rundll32.exe \"%CommonProgramFiles%\\System\\OLE DB\\oledb32.dll\",OpenDSLFile %1"

[HKEY_CLASSES_ROOT\NetServer\shell\remotedesktop\command]
@="mstsc.exe -v %1"

[HKEY_CLASSES_ROOT\otffile\shell\preview\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe %1"

[HKEY_CLASSES_ROOT\otffile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe /p %1"

[HKEY_CLASSES_ROOT\P7RFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddP7R %1"

[HKEY_CLASSES_ROOT\P7RFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenP7R %1"

[HKEY_CLASSES_ROOT\P7SFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"

[HKEY_CLASSES_ROOT\Paint.Picture\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\pfmfile\shell\preview\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe %1"

[HKEY_CLASSES_ROOT\pfmfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe /p %1"

[HKEY_CLASSES_ROOT\PFXFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddPFX %1"

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Tiff\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\pjpegfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\pngfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\prffile\shell\Open\command]
@=expand:\\""%SystemRoot%\\system32\\rundll32.exe\" \"%SystemRoot%\\system32\\msrating.dll\",ClickedOnPRF %1"

[HKEY_CLASSES_ROOT\ratfile\Shell\Open\Command]
@=expand:\\""%SystemRoot%\\system32\\rundll32.exe\" \"%SystemRoot%\\system32\\msrating.dll\",ClickedOnRAT %1"

[HKEY_CLASSES_ROOT\rlogin\shell\open\command]
@="\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\url.dll\",TelnetProtocolHandler %l"

[HKEY_CLASSES_ROOT\SavedDsQuery\Shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\dsquery.dll,OpenSavedDsQuery %1"

[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"

[HKEY_CLASSES_ROOT\search\shell\open\command]
@=expand:"%SystemRoot%\\Explorer.exe /separate,/idlist,%I,%L"

[HKEY_CLASSES_ROOT\search-ms\shell\open\command]
@=expand:"%SystemRoot%\\Explorer.exe /separate,/idlist,%I,%L"

[HKEY_CLASSES_ROOT\Shell.CDBurn\Shell\Prepare\Command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,PrepareDiscForBurnRunDll %L"

[HKEY_CLASSES_ROOT\SPCFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddSPC %1"

[HKEY_CLASSES_ROOT\SPCFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"

[HKEY_CLASSES_ROOT\svgfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\svgfile\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\SystemFileAssociations\image\shell\print\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\SystemFileAssociations\text\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\SystemFileAssociations\text\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\telnet\shell\open\command]
@="\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\url.dll\",TelnetProtocolHandler %l"

[HKEY_CLASSES_ROOT\themefile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\themecpl.dll,OpenThemeAction %1"

[HKEY_CLASSES_ROOT\themepackfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\themecpl.dll,OpenThemeAction %1"

[HKEY_CLASSES_ROOT\tn3270\shell\open\command]
@="\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\url.dll\",TelnetProtocolHandler %l"

[HKEY_CLASSES_ROOT\TIFImage.Document\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\ttcfile\shell\preview\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe %1"

[HKEY_CLASSES_ROOT\ttcfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe /p %1"

[HKEY_CLASSES_ROOT\ttffile\shell\preview\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe %1"

[HKEY_CLASSES_ROOT\ttffile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe /p %1"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\txtfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\VBEFile\Shell\Edit\Command]
@=expand:\\""%SystemRoot%\\system32\\Notepad.exe\" %1"

[HKEY_CLASSES_ROOT\VBEFile\Shell\Print\Command]
@=expand:\\""%SystemRoot%\\system32\\Notepad.exe\" /p %1"

[HKEY_CLASSES_ROOT\VBSFile\Shell\Edit\Command]
@=expand:\\""%SystemRoot%\\system32\\Notepad.exe\" %1"

[HKEY_CLASSES_ROOT\VBSFile\Shell\Print\Command]
@=expand:\\""%SystemRoot%\\system32\\Notepad.exe\" /p %1"

[HKEY_CLASSES_ROOT\wdpfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\wdpfile\shell\print\command]
@=expand:"rundll32.exe %SystemRoot%\\system32\\shimgvw.dll,ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\webpnpFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\wpnpinst.exe %1"

[HKEY_CLASSES_ROOT\WPDContextMenu.Url\Shell\Open\Command]
@=expand:\\""%SystemRoot%\\system32\\rundll32.exe\" \"%SystemRoot%\\system32\\ieframe.dll\",OpenURL %l"

[HKEY_CLASSES_ROOT\WSFFile\Shell\Edit\Command]
@=expand:\\""%SystemRoot%\\system32\\Notepad.exe\" %1"

[HKEY_CLASSES_ROOT\WSFFile\Shell\Print\Command]
@=expand:\\""%SystemRoot%\\system32\\Notepad.exe\" /p %1"

[HKEY_CLASSES_ROOT\xhtmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\xhtmlfile\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\xmlfile\shell\Open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\xslfile\shell\Open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\zapfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\zapfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Hotmail\Protocols\mailto\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Internet Explorer\\hmmapi.dll\",MailToProtocolHandler %1"


OUCH!
120 command lines (out of 462, ie 25.9%) have an unquoted argument.


Cf. <https://blog.mozilla.org/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/>,
<http://blogs.msdn.com/b/david_leblanc/archive/2007/07/24/security-dependencies.aspx>
<http://weblogs.mozillazine.org/asa/archives/2007/07/its-just-too-ha.html>
<https://technet.microsoft.com/library/security/ms07-061>

Quotes bite, but missing quotes bite too^Wmore!


regards
Stefan Kanthak


PS: the following command lines with unquoted pathnames execute C:\Program.exe:

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@=expand:"%ProgramFiles%\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\\Program Files\\Internet Explorer\\iexplore.exe"

[HKEY_CLASSES_ROOT\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}\Shell\Open\Command]
@=expand:"%ProgramFiles%\\Windows Defender\\MSASCui.exe"

That's the FOURTH time Windows Defender resp. Microsoft Security Essentials
comes with an unquoted pathname in the command line, cf.
<https://technet.microsoft.com/library/security/ms13-058>
<https://technet.microsoft.com/library/security/ms13-034>
<http://seclists.org/fulldisclosure/2013/May/10>


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ