lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003901d0d351$43ca2f80$cb5e8e80$@googlemail.com>
Date: Mon, 10 Aug 2015 11:45:16 +0200
From: "Thomas D." <whistl0r@...il.com>
To: <fulldisclosure@...lists.org>
Subject: Re: [FD] Mozilla extensions: a security nightmare

Hi,

Mario Vilas wrote:
> %APPDATA% is within the user's home directory - by default it should not
> be writeable by other users. If this is the case then the problem is one of
> bad file permissions, not the location.

Correct.


> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.

OK, installing into %APPDATA% or %LOCALAPPDATA% will remove Windows' tampering protection.
I hope you are not arguing that because nowadays many application will install into %APPDATA% or %LOCALAPPDATA% they became "safe" because they are so many?!

Remember how the thing with %APPDATA% and %LOCALAPPDATA% started/became mainstream: There was a small search corp. who thought they need to develop another browser. They had the users on their side but getting market share would require them to be able to push the browser on the user's desktop - also on work. So they started to install to %LOCALAPPDATA% per default... to get around a security mechanism.

Sane with Dropbox and Co: To get required market share you need to be on user's desktop. They make their money with business customers. But IT in corporations are moving slow. Convincing IT staff that using cloud storage (store your important data on someone else computer) isn't easy. But people will use everything which is free at their home. If these people can install Dropbox on corporate's network, too... well you know the game: If the critical mass is already using Dropbox (even without your consent) chances are high (if it is working for your team), that your IT department will get the order to buy it...
However Dropbox is now moving from user's profile back to %programfiles% starting with 3.6.x. From my knowledge the main reason doing that is to support system-wide updates which you cannot do when everyone has installed the software in his/her user profile (Chrome offers a system-wide installation, too), no security concerns. But if you ask them they won't decline that this will hardening Dropbox for free.


Back to the Mozilla problem and this topic:
Like said you are right, only the current user can write to %APPDATA% or %LOCALAPPDATA% per default. But every application the user runs can do that. So for example if the attacker manage to send the victim a malicious document which will replace the DLLs Stefan mentioned, the attacker could steal the victim's Exchange/Gmail account credentials.

Yes, the attacker must find a way to get his "malware" on the victims computer and the first immutable laws of security says

  "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"

   (https://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx)

but that's not that theoretical like it maybe sounds. Remember the recent Firefox flaw (https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/). Drive-by-download attacks are normal today and if they succeed the attacker's code is running with user privileges and can modify files in %APPDATA% and %LOCALAPPDATA%... So using Windows like it was designed is more important than ever.


Regards,
Thomas



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ