[<prev] [next>] [day] [month] [year] [list]
Message-ID: <316143B086AA4687A81CA8570F3EDB4E@H270>
Date: Tue, 24 Sep 2024 22:11:57 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] Defense in depth -- the Microsoft way (part 88): a SINGLE
command line shows about 20, 000 instances of CWE-73
Hi @ll,
<https://cwe.mitre.org/data/definitions/73.html>
CWE-73: External Control of File Name or Path
is a well-known and well-documented weakness.
<https://seclists.org/fulldisclosure/2020/Mar/48> as well as
<https://skanthak.homepage.t-online.de/offender.html> demonstrate how to
(ab)use just one instance of this weakness (introduced about 7 years ago
with Microsoft Defender, so-called "security software") due to an
environment variable in the (registered) path name of an executable file
to gain execution of arbitrary code.
But that's of course not the only instance of this VERY EASY to exploit
weakness present in ALL versions of Windows since more than 30 (in words:
THIRTY) years -- start a command processor and run the following command
line to show about 20,000 instances of path names registered with (user-
controlled) environment variables:
REG.exe QUERY HKEY_LOCAL_MACHINE /C /D /F "%*%\\" /S
stay tuned, and far away from the vulnerable crap made in Redmond
Stefan Kanthak
PS: just yesterday, Microsoft dared to publish
<https://www.microsoft.com/en-us/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secur
e-future-initiative-sfi/>,
bragging "we've dedicated the equivalent of 34,000 full-time engineers
to SFI-making it the largest cybersecurity engineering effort in history"
What about dedicating the equivalent of just ONE full-time employee to
every instance of just ONE ow Windows weaknesses?
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists