lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <53EA7108.7040306@thelounge.net>
Date: Tue, 12 Aug 2014 21:54:48 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Beginners error: QuickTime for Windows runs rogue program
 C:\Program.exe when opening associated files

scary - maybe the list of not affected apps would be shorter :-)

Am 07.08.2014 um 21:11 schrieb Stefan Kanthak:
> Hi @ll,
> 
> the current version of QuickTime for Windows (and of course older versions
> too) associates the following erroneous and vulnerable command lines with
> some of the supported file types/extensions:
> 
> QuickTime.3g2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.3gp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.3gp2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.3gpp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aac=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.ac3=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.adts=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aifc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.aiff=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.amc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.amr=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.au=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.avi=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.bwf=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.caf=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.cdda=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.cel=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.dif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.dv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.flc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.fli=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.gif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.gsm=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.kar=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m15=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m1a=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m1s=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m1v=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m3u=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m3url=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4a=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4b=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4p=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m4v=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.m75=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mid=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.midi=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mov=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mp2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mp3=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mp4=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpa=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpeg=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpg=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpm=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mpv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.mqv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qcp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qht=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qhtm=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qt=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.qtl=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.rts=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.rtsp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sd2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sdp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sdv=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.smf=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.smi=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.smil=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.sml=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.snd=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.swa=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.ulw=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.vfw=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> QuickTime.wav=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
> 
> 
> From <http://msdn.microsoft.com/library/cc144175.aspx>
> or <http://msdn.microsoft.com/library/cc144101.aspx>:
> 
> | Note: If any element of the command string contains or might contain
>         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | spaces, it must be enclosed in quotation marks. Otherwise, if the
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | element contains a space, it will not parse correctly. For instance,
> | "My Program.exe" starts the application properly. If you use
> | My Program.exe without quotation marks, then the system attempts to
> | launch My with Program.exe as its first command line argument. You
> | should always use quotation marks with arguments such as "%1" that are
> | expanded to strings by the Shell, because you cannot be certain that
> | the string will not contain a space.
> 
> 
> These command lines run the rogue program C:\Program.exe whenever the
> user double-clicks an associated file with the credentials of the user.
> 
> Since every user account created during Windows setup has administrative
> rights every user owning such an account can create the rogue program,
> resulting in a privilege escalation.
> 
> JFTR: no, the "user account control" is not a security boundary!
> 
>       From <http://support.microsoft.com/kb/2526083>:
> 
> | Same-desktop Elevation in UAC is not a security boundary and can be hijacked
> | by unprivileged software that runs on the same desktop. Same-desktop
> | Elevation should be considered a convenience feature, and from a security
> | perspective, "Protected Administrator" should be considered the equivalent
> | of "Administrator."
> 
> 
> JFTR: this bugs only exists since Microsoft "masks" it.
>       See <http://msdn.microsoft.com/library/ms682425.aspx> for this
>       well-known idiosyncrasy:
> 
> | For example, consider the string "c:\program files\sub dir\program name".
> | This string can be interpreted in a number of ways.
> | The system tries to interpret the possibilities in the following order:
> | c:\program.exe files\sub dir\program name
> | c:\program files\sub.exe dir\program name
> | c:\program files\sub dir\program.exe name
> | c:\program files\sub dir\program name.exe
> 
>       Without this kludge this beginners error would get caught upon
>       the very first use of any of these command lines.
> 
> 
> "Long" filenames containing spaces exist for about 20 years in Windows.
> It's REALLY time that every developer and every QA engineer knows how
> to handle them properly.
> 
> 
> If you detect such silly beginners errors: report them and get them fixed.
> If the vendor does not fix them: trash the trash!
> 
> 
> regards
> Stefan Kanthak
> 
> 
> PS: for static detection of these silly beginners errors download and
>     run <http://home.arcor.de/skanthak/download/SLOPPY.CMD>
> 
>     To catch all instances of this beginners error download
>     <http://home.arcor.de/skanthak/download/SENTINEL.CMD>,
>     <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and
>     <http://home.arcor.de/skanthak/download/SENTINEL.EXE>, then read
>     and run the script SENTINEL.CMD
> 
> PPS: to fix these beginners errors for QuickTime (and iTunes too),
>      download <http://home.arcor.de/skanthak/download/QUICKTIME.CMD>
>      resp. <http://home.arcor.de/skanthak/download/ITUNES.CMD> and
>      run these scripts.
>      Dont forget to rerun them after every update of QuickTime or
>      iTunes ... until Apple fixes their crapware!


Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ