lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <C29038BBA83844FBA41EFCC33D2B4D83@W340>
Date: Tue, 21 Mar 2017 16:39:37 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 46): no checks for
	common path handling errors in "Application Verifier"

Hi @ll,

according to <https://msdn.microsoft.com/en-us/library/aa480483.aspx>
Microsoft's "Application Verifier" [°] should detect the well-known
beginner's error <https://cwe.mitre.org/data/definitions/428.html>:

| Checking for Proper Use of CreateProcess
|
| Calls to the CreateProcess API function are subject to attack if
| parameters are not specified correctly. AppVerifier generates an
| error if CreateProcess (or other related API functions) are called
| with a NULL lpApplicationName parameter and an lpCommandLine
| parameter that contains spaces. For example, it does not allow the
| following as the command line parameter:
|
|    c:\program files\sample.exe -t -g c:\program files\sample\test
|
| Using this command line, an application can inadvertently execute
| unwanted code if a malicious user installs his program to C:\Program.

Unfortunately the MSDN article cited above tells a blatant lie:
Application Verifier does NOT perform the check described there!

The sad truth^Wreality is that Application Verifier also performs
NO check for other way too common path handling errors, like
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>, well-known as
"DLL hijacking" alias "DLL preloading" alias "binary planting" ['].


See <https://skanthak.homepage.t-online.de/verifier.html> for an
"Application Verifier Provider" which performs the missing checks.


stay tuned
Stefan Kanthak


[°] introduced with Windows XP some 16 years ago, available via
    <https://www.microsoft.com/en-us/download/details.aspx?id=20028>
    as stand-alone package then, later distributed with the
    "Debugging Tools for Windows", now included in the Windows SDK
    (see <https://msdn.microsoft.com/en-us/library/ff538115.aspx>)

['] see <https://skanthak.homepage.t-online.de/sentinel.html> for
    the full story.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists