| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAnPYQ5yrsvyDtvFvMTr9s-sbdOLx3EpG5cy_KYaGwwYzW63=g@mail.gmail.com> Date: Fri, 25 Jul 2014 13:43:09 +0200 From: Gynvael Coldwind <gynvael@...dwind.pl> To: Stefan Kanthak <stefan.kanthak@...go.de> Cc: fulldisclosure <fulldisclosure@...lists.org>, bugtraq@...urityfocus.com Subject: Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Well it was discussed a couple of times recently on FD that this is a bug, but it's not a privilege escalation. If you are admin (and you did mention that it's a prerequisite) you can execute code as other users anyway - so there's no *escalation* here. Therefore it's not a security bug (unless you are using a super old version of Windows with incorrect ACLs on c:\, which sounds like a bug in itself), just a "normal" bug. Not sure if FD is the right place for non-security bugs tbh. Cheers, On 25 Jul 2014 00:46, "Stefan Kanthak" <stefan.kanthak@...go.de> wrote: > Brandon Perry wrote: > > > So, I am very curious how you are finding these? Have you automated this > or > > is it manual hand work? > > All my Windows installations have > <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and > <http://home.arcor.de/skanthak/download/SENTINEL.DLL> preinstalled as > C:\Program.exe and C:\Program.dll, so I'm notified when some poorly written > program tries to execute them. > The sentinels call MessageBox() with "MB_SERVICE_NOTIFICATION", so the > messages are recorded in the event log too where I can find them later. > > I also preinstall an APPINIT.DLL <https://support.microsoft.com/kb/197571> > which logs all command lines of programs linked to USER32.DLL to a file: > filtering for "C:\Program " at column 1 lists all the culprits. > > My third source is a SAFER.Log < > https://technet.microsoft.com/cc786941.aspx> > where every execution attempt is logged, including the executables caller: > filtering this for "\program.exe" or "\program.dll" lists all the culprits. > > So basically I just have to sit and wait... > > In case one of my customers was hit, and this did not happen during an > installation, I have to interrogate them what they did... and hope they can > remember with sufficient detail. > > But almost all hits occur during installations or the customization > following > an installation (here it was the import of existing mails into a new > account), > so these are not so difficult to reproduce. > > regards > Stefan > > PS: of course it helps if 8.3 names are disabled and "C:\Program Files\" > can't > be aliased as C:\Progra~1\ > To achieve this just run FORMAT C: /FS:NTFS /S:Disable in Windows PE > before you start the installation of Windows 7 and later. > For Windows NT5.x you'll have to use \i386\MIGRATE.INF > > > On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak <stefan.kanthak@...go.de > > > > wrote: > > > >> Hi @ll, > >> > >> the import function of Windows Mail executes a rogue program > C:\Program.exe > >> with the credentials of another account, resulting in a privilege > >> escalation! > > [...] > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists