lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CC6B81F6FC0B49E4895248CB26FFAFEE@W340>
Date: Wed, 31 Dec 2014 00:38:56 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 26): "Set Program
	Access and Computer Defaults" hides applications like Outlook

Hi @ll,

in order to prevent the possible execution of a rogue program like
"C:\Program.exe" or "C:\Program Files\Microsoft.exe", on x64 also
"C:\Program Files.exe" or "C:\Program Files (x86)\Microsoft.exe",
due to the beginner's error of using unquoted pathnames containing
spaces (see <https://cwe.mitre.org/data/definitions/428.html>),
Windows' [*] "Set Program Access and Computer Defaults" (SPAD, see
<http://msdn.microsoft.com/library/cc144162.aspx>) hides programs
that are registered with such erroneous and vulnerable command lines.

For example Microsoft Outlook 2007, Microsoft Outlook 2010 as well as
Microsoft Outlook 2013.


If you have one of these versions of Microsoft Outlook installed but
can't configure it with SPAD, export its registry entries with the
erroneous and vulnerable command lines into a file OUTLOOK.REG:

REGEDIT.EXE /A OUTLOOK.REG "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo"


The file OUTLOOK.REG will look like this (the wildcard ? varies with
your version of Outlook):

--- OUTLOOK.REG ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo]
"IconsVisible"=dword:00000001
"HideIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadhideicons"
"ShowIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadshowicons"
"ReinstallCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadreinstall"

--- EOF ---


Open the file with your favorite editor and insert the string \"
before and after (the 3 occurences of) the pathname
C:\\Program Files\\Microsoft Office\\OFFICE1#\\OUTLOOK.EXE

The corrected file should look like this:

--- OUTLOOK.REG ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo]
"IconsVisible"=dword:00000001
"HideIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadhideicons"
"ShowIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadshowicons"
"ReinstallCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadreinstall"

--- EOF ---


Save your changes and import the file into the registry:

REGEDIT.EXE /S OUTLOOK.REG


Start SPAD again and find "Microsoft Office Outlook" now displayed as
mail program.


enjoy
Stefan Kanthak


[*] at least Windows 7, but I assume this behaviour was introcuded
    with Windows Vista; in earlier versions of Windows SPAD but
    displays applications with erroneous and vulnerable command lines
    and runs rogue programs!

PS: will MSFT ever afford a QA that can find such bloody trivial
    beginner's errors?

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ