lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 28 Mar 2020 01:07:04 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Defense in depth -- the Microsoft way (part 66): attachment
	manager allows to load arbitrary DLLs

Hi @ll,

this is the continuation of the previous posts
<> and

(Un)fortunately the IOfficeAntiVirus interface (see
has at least another weakness which also allows (unprivileged users) to
load arbitrary DLLs into web browsers, mail/news clients, instant
messengers, file explorer and every other program which calls this COM

With Windows 2000, Microsoft introduced the "merged view" of the
[HKEY_CLASSES_ROOT] virtual registry tree: see

"Thanks" to this feature, COM categories/classes/interfaces registered
by (unprivileged) users below [HKEY_CURRENT_USER\Software\Classes]
obscure the corresponding COM categories/classes/interfaces registered
(by administrators) below [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]


On a 32-bit installation of Windows XP SP2 or any newer version of
Windows perform the following steps (adaption for 64-bit installations
is left as an exercise to the reader):

1. Log on to an arbitrary (unprivileged) user account.

2. Download <>
   and save it in an arbitrary directory.

3. Create a text file SENTINEL.REG with the following contents:


@="Vulnerability and Exploit Detector"


@="<path>\\SENTINEL.DLL" ; replace <path> with the directory used in step 2. 

; NOTE: the following entries are optional!




@="{00000000-0000-0000-C000-000000000046}" ; IUnknown

--- EOF ---

4. Double-click the file SENTINEL.REG to merge it into the user's

5. Download an arbitrary file with your web browser, for example
   or save an attachment in your mail client, and notice the
   message boxes displayed from the sentinels.

NOTE: the batch script
      performs all these steps on 32-bit and 64-bit installations
      of Windows XP and newer versions of Windows.


Use AppLocker or SAFER alias Software Restriction Policies: see

stay tuned, and NEVER use Windows without SAFER or AppLocker
Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists