| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Mar 2017 16:39:37 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 46): no checks for
common path handling errors in "Application Verifier"
Hi @ll,
according to <https://msdn.microsoft.com/en-us/library/aa480483.aspx>
Microsoft's "Application Verifier" [°] should detect the well-known
beginner's error <https://cwe.mitre.org/data/definitions/428.html>:
| Checking for Proper Use of CreateProcess
|
| Calls to the CreateProcess API function are subject to attack if
| parameters are not specified correctly. AppVerifier generates an
| error if CreateProcess (or other related API functions) are called
| with a NULL lpApplicationName parameter and an lpCommandLine
| parameter that contains spaces. For example, it does not allow the
| following as the command line parameter:
|
| c:\program files\sample.exe -t -g c:\program files\sample\test
|
| Using this command line, an application can inadvertently execute
| unwanted code if a malicious user installs his program to C:\Program.
Unfortunately the MSDN article cited above tells a blatant lie:
Application Verifier does NOT perform the check described there!
The sad truth^Wreality is that Application Verifier also performs
NO check for other way too common path handling errors, like
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>, well-known as
"DLL hijacking" alias "DLL preloading" alias "binary planting" ['].
See <https://skanthak.homepage.t-online.de/verifier.html> for an
"Application Verifier Provider" which performs the missing checks.
stay tuned
Stefan Kanthak
[°] introduced with Windows XP some 16 years ago, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=20028>
as stand-alone package then, later distributed with the
"Debugging Tools for Windows", now included in the Windows SDK
(see <https://msdn.microsoft.com/en-us/library/ff538115.aspx>)
['] see <https://skanthak.homepage.t-online.de/sentinel.html> for
the full story.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists