lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <316143B086AA4687A81CA8570F3EDB4E@H270>
Date: Tue, 24 Sep 2024 22:11:57 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] Defense in depth -- the Microsoft way (part 88): a SINGLE
	command line shows about 20, 000 instances of CWE-73

Hi @ll,

<https://cwe.mitre.org/data/definitions/73.html>
CWE-73: External Control of File Name or Path
is a well-known and well-documented weakness.

<https://seclists.org/fulldisclosure/2020/Mar/48> as well as
<https://skanthak.homepage.t-online.de/offender.html> demonstrate how to
(ab)use just one instance of this weakness (introduced about 7 years ago
with Microsoft Defender, so-called "security software") due to an
environment variable in the (registered) path name of an executable file
to gain execution of arbitrary code.

But that's of course not the only instance of this VERY EASY to exploit
weakness present in ALL versions of Windows since more than 30 (in words:
THIRTY) years -- start a command processor and run the following command
line to show about 20,000 instances of path names registered with (user-
controlled) environment variables:

    REG.exe QUERY HKEY_LOCAL_MACHINE /C /D /F "%*%\\" /S

stay tuned, and far away from the vulnerable crap made in Redmond
Stefan Kanthak

PS: just yesterday, Microsoft dared to publish
    <https://www.microsoft.com/en-us/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secur
e-future-initiative-sfi/>,
    bragging "we've dedicated the equivalent of 34,000 full-time engineers
    to SFI-making it the largest cybersecurity engineering effort in history"
    What about dedicating the equivalent of just ONE full-time employee to
    every instance of just ONE ow Windows weaknesses?

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ