lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <F52768EBF8764975B8C1990145EC02C7@W340> Date: Mon, 23 Jan 2017 23:28:35 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: "Ding Dong" <dingdongloop@...il.com> Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution "Ding Dong" <dingdongloop@...il.com> wrote: Please stop top posting and full quotes! > Can you elaborate a bit on what special treatment windows gives installeres > named setup.exe? Run "NTSD.exe setup.exe" and see which DLLs Windows loads, and how they are loaded. Rename setup.exe to something.exe, run "NTSD.exe something.exe" and compare the results. JFTR: NTSD.exe was shipped with Windows NT5.x; in newer versions you have to install the debugging tools. If you want to run without debugger: take a look at <http://home.arcor.de/skanthak/verifier.html> alias <https://skanthak.homepage.t-online.de/verifier.html> JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> was referred in <http://seclists.org/bugtraq/2016/Jan/105> In short: setup.exe lets Windows load some app-compat shims. stay tuned Stefan > On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak@...go.de> wrote: > >> Hi @ll, >> >> the executable installers of "Pelle's C", >> <http://smorgasbordet.com/pellesc/800/setup64.exe> and, >> <http://smorgasbordet.com/pellesc/800/setup.exe>, available >> from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable >> to DLL hijacking: they load (tested on Windows 7) at least the >> following DLLs from their "application directory" instead Windows' >> "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll, >> RichEd20.dll and CryptBase.dll [snip] >> JFTR: there is ABSOLUTELY no need for executable installers on >> Windows! DUMP THIS CRAP! >> >> JFTR: naming a program "Setup.exe" is another beginner's error: >> Windows' does some VERY special things when it encounters >> this filename! [snip] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists