lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <56E05D8D.1080006@securify.nl>
Date: Wed, 9 Mar 2016 18:29:49 +0100
From: "Securify B.V." <lists@...urify.nl>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Windows Mail Find People DLL side loading vulnerability

Hi Stefan,

See below.


On 09-03-16 12:48, Stefan Kanthak wrote:
> "Securify B.V." wrote:
>
>> ------------------------------------------------------------------------
>> Windows Mail Find People DLL side loading vulnerability
>> ------------------------------------------------------------------------
>> Yorick Koster, September 2015
> This vulnerability demonstrates Microsoft's terrible SLOPPY coding
> horror^Wpractice: it needs two mistakes to create this kind of bug!
>
> "%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
> a resource DLL, which means that it contains no code, but only
> (localized) resources, and SHOULD (better: MUST) be loaded via
>      LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> to avoid the call of its DllMain() startup code!
> See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
>
> JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!
>
> Either
>      LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
> or
>      LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> were sufficient to avoid this vulnerability.
>
>> ------------------------------------------------------------------------
>> Fix
>> ------------------------------------------------------------------------
>> Microsoft released MS16-025 that fixes this vulnerability.
> Have you checked how Microsoft fixed it?
> Did they exercise all due diligence now, practised defense in depth
> and replaced the call to
>      LoadLibrary("wab32res.dll")
> with a call to
>      LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?

They still use LoadLibrary() to load wab32res.dll. Previously, the 
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended 
wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By 
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, 
PathRemoveFileSpec() removes wab32.dll from the path. They also call 
ExpandEnvironmentStrings(), but that was also the case previously.

With kind regards,

Yorick

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ