| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Aug 2014 21:54:48 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Beginners error: QuickTime for Windows runs rogue program
C:\Program.exe when opening associated files
scary - maybe the list of not affected apps would be shorter :-)
Am 07.08.2014 um 21:11 schrieb Stefan Kanthak:
> Hi @ll,
>
> the current version of QuickTime for Windows (and of course older versions
> too) associates the following erroneous and vulnerable command lines with
> some of the supported file types/extensions:
>
> QuickTime.3g2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.3gp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.3gp2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.3gpp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aac=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.ac3=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.adts=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aifc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aiff=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.amc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.amr=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.au=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.avi=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.bwf=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.caf=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.cdda=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.cel=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.dif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.dv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.flc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.fli=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.gif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.gsm=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.kar=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m15=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m1a=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m1s=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m1v=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m3u=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m3url=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4a=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4b=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4p=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4v=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m75=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mid=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.midi=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mov=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mp2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mp3=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mp4=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpa=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpeg=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpg=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpm=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mqv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qcp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qht=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qhtm=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qt=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qtl=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.rts=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.rtsp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sd2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sdp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sdv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.smf=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.smi=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.smil=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sml=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.snd=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.swa=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.ulw=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.vfw=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.wav=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
>
>
> From <http://msdn.microsoft.com/library/cc144175.aspx>
> or <http://msdn.microsoft.com/library/cc144101.aspx>:
>
> | Note: If any element of the command string contains or might contain
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | spaces, it must be enclosed in quotation marks. Otherwise, if the
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | element contains a space, it will not parse correctly. For instance,
> | "My Program.exe" starts the application properly. If you use
> | My Program.exe without quotation marks, then the system attempts to
> | launch My with Program.exe as its first command line argument. You
> | should always use quotation marks with arguments such as "%1" that are
> | expanded to strings by the Shell, because you cannot be certain that
> | the string will not contain a space.
>
>
> These command lines run the rogue program C:\Program.exe whenever the
> user double-clicks an associated file with the credentials of the user.
>
> Since every user account created during Windows setup has administrative
> rights every user owning such an account can create the rogue program,
> resulting in a privilege escalation.
>
> JFTR: no, the "user account control" is not a security boundary!
>
> From <http://support.microsoft.com/kb/2526083>:
>
> | Same-desktop Elevation in UAC is not a security boundary and can be hijacked
> | by unprivileged software that runs on the same desktop. Same-desktop
> | Elevation should be considered a convenience feature, and from a security
> | perspective, "Protected Administrator" should be considered the equivalent
> | of "Administrator."
>
>
> JFTR: this bugs only exists since Microsoft "masks" it.
> See <http://msdn.microsoft.com/library/ms682425.aspx> for this
> well-known idiosyncrasy:
>
> | For example, consider the string "c:\program files\sub dir\program name".
> | This string can be interpreted in a number of ways.
> | The system tries to interpret the possibilities in the following order:
> | c:\program.exe files\sub dir\program name
> | c:\program files\sub.exe dir\program name
> | c:\program files\sub dir\program.exe name
> | c:\program files\sub dir\program name.exe
>
> Without this kludge this beginners error would get caught upon
> the very first use of any of these command lines.
>
>
> "Long" filenames containing spaces exist for about 20 years in Windows.
> It's REALLY time that every developer and every QA engineer knows how
> to handle them properly.
>
>
> If you detect such silly beginners errors: report them and get them fixed.
> If the vendor does not fix them: trash the trash!
>
>
> regards
> Stefan Kanthak
>
>
> PS: for static detection of these silly beginners errors download and
> run <http://home.arcor.de/skanthak/download/SLOPPY.CMD>
>
> To catch all instances of this beginners error download
> <http://home.arcor.de/skanthak/download/SENTINEL.CMD>,
> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and
> <http://home.arcor.de/skanthak/download/SENTINEL.EXE>, then read
> and run the script SENTINEL.CMD
>
> PPS: to fix these beginners errors for QuickTime (and iTunes too),
> download <http://home.arcor.de/skanthak/download/QUICKTIME.CMD>
> resp. <http://home.arcor.de/skanthak/download/ITUNES.CMD> and
> run these scripts.
> Dont forget to rerun them after every update of QuickTime or
> iTunes ... until Apple fixes their crapware!
Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists