lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <C29038BBA83844FBA41EFCC33D2B4D83@W340> Date: Tue, 21 Mar 2017 16:39:37 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: fulldisclosure@...lists.org Subject: [FD] Defense in depth -- the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier" Hi @ll, according to <https://msdn.microsoft.com/en-us/library/aa480483.aspx> Microsoft's "Application Verifier" [°] should detect the well-known beginner's error <https://cwe.mitre.org/data/definitions/428.html>: | Checking for Proper Use of CreateProcess | | Calls to the CreateProcess API function are subject to attack if | parameters are not specified correctly. AppVerifier generates an | error if CreateProcess (or other related API functions) are called | with a NULL lpApplicationName parameter and an lpCommandLine | parameter that contains spaces. For example, it does not allow the | following as the command line parameter: | | c:\program files\sample.exe -t -g c:\program files\sample\test | | Using this command line, an application can inadvertently execute | unwanted code if a malicious user installs his program to C:\Program. Unfortunately the MSDN article cited above tells a blatant lie: Application Verifier does NOT perform the check described there! The sad truth^Wreality is that Application Verifier also performs NO check for other way too common path handling errors, like <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>, well-known as "DLL hijacking" alias "DLL preloading" alias "binary planting" [']. See <https://skanthak.homepage.t-online.de/verifier.html> for an "Application Verifier Provider" which performs the missing checks. stay tuned Stefan Kanthak [°] introduced with Windows XP some 16 years ago, available via <https://www.microsoft.com/en-us/download/details.aspx?id=20028> as stand-alone package then, later distributed with the "Debugging Tools for Windows", now included in the Windows SDK (see <https://msdn.microsoft.com/en-us/library/ff538115.aspx>) ['] see <https://skanthak.homepage.t-online.de/sentinel.html> for the full story. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists