lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8226A24155324301BA1D843EB17DFECA@celsius>
Date: Fri, 25 Jul 2014 00:40:01 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Brandon Perry" <bperry.volatile@...il.com>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] Beginner's error: import function of Windows Mail executes
	rogue program C:\Program.exe with credentials of other account

Brandon Perry wrote:

> So, I am very curious how you are finding these? Have you automated this or
> is it manual hand work?

All my Windows installations have
<http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> preinstalled as
C:\Program.exe and C:\Program.dll, so I'm notified when some poorly written
program tries to execute them.
The sentinels call MessageBox() with "MB_SERVICE_NOTIFICATION", so the
messages are recorded in the event log too where I can find them later.

I also preinstall an APPINIT.DLL <https://support.microsoft.com/kb/197571>
which logs all command lines of programs linked to USER32.DLL to a file:
filtering for "C:\Program " at column 1 lists all the culprits.

My third source is a SAFER.Log <https://technet.microsoft.com/cc786941.aspx>
where every execution attempt is logged, including the executables caller:
filtering this for "\program.exe" or "\program.dll" lists all the culprits.

So basically I just have to sit and wait...

In case one of my customers was hit, and this did not happen during an
installation, I have to interrogate them what they did... and hope they can
remember with sufficient detail.

But almost all hits occur during installations or the customization following
an installation (here it was the import of existing mails into a new account),
so these are not so difficult to reproduce.

regards
Stefan

PS: of course it helps if 8.3 names are disabled and "C:\Program Files\" can't
    be aliased as C:\Progra~1\
    To achieve this just run FORMAT C: /FS:NTFS /S:Disable in Windows PE
    before you start the installation of Windows 7 and later.
    For Windows NT5.x you'll have to use \i386\MIGRATE.INF

> On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak <stefan.kanthak@...go.de>
> wrote:
> 
>> Hi @ll,
>>
>> the import function of Windows Mail executes a rogue program C:\Program.exe
>> with the credentials of another account, resulting in a privilege
>> escalation!

[...]

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ