lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <499E2A9B920A447883E5C3E6D1D8E66F@W340>
Date: Wed, 9 Mar 2016 12:48:03 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <lists@...urify.nl>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Windows Mail Find People DLL side loading vulnerability

"Securify B.V." wrote:

> ------------------------------------------------------------------------
> Windows Mail Find People DLL side loading vulnerability
> ------------------------------------------------------------------------
> Yorick Koster, September 2015

[...]

> - CVE-2016-0100
> - MS16-025: Security Update for Windows Library Loading to Address
> Remote Code Execution (3140709)
> 
> ------------------------------------------------------------------------
> Tested versions
> ------------------------------------------------------------------------
> This issue was successfully verified on Windows Vista + Office 2010
> 32-bit.

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
    LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>

JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!

Either
    LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
    LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.

> ------------------------------------------------------------------------
> Fix
> ------------------------------------------------------------------------
> Microsoft released MS16-025 that fixes this vulnerability.

Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
    LoadLibrary("wab32res.dll")
with a call to
    LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?

> ------------------------------------------------------------------------
> Details
> ------------------------------------------------------------------------
> https://www.securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html


regards
Stefan

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ