Dan Kaminsky wrote:
Eric Rescorla wrote:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the
Larry Seltzer wrote:
I actually do have a response fom Microsoft on the broader issue, but it
doesn't address these issues or even concded that there's necessarily
anything they can do about it. They instead speak of the same
precautions for physical access that they spoke of a couple weeks
, but are not
fool proof.
Stefan Kanthak
Steve Shockley wrote:
Stefan Kanthak wrote:
2. The typical user authentication won't help, we're at hardware
level here, and no OS needs to be involved.
So, if I understand you correctly, if I boot my machine into DOS the
memory can be read over Firewire?
If DMA is enabled
Stefan Kanthak
/
that is vulnerable to CA-2007-07 http://www.zlib.net/advisory-2002-03-11.txt.
The zlib.dll included in the versions 7.2, 8.0 and the current 10.0
of their products is dated 1998-07-12 and shows the version 1.1.3.
Stefan Kanthak
CAN-2005-2096.db
| CURL.EXE: CAN-2005-2096.zlib-1.2.2 FOUND
|
| --- SCAN SUMMARY ---
| Known viruses: 16
| Engine version: 0.91.2
| Scanned directories: 1
| Scanned files: 1
Stefan Kanthak
.
Stefan Kanthak
BTW: your reply is missing a References: (or In-Reply-To:) header!
| Engine version: 0.91.2
| Scanned directories: 1
| Scanned files: 1
The author and maintainer has been contacted twice via mail in
the last four weeks but choose not to respond at all.
Stefan Kanthak
I wrote Sunday, October 21, 2007 2:18 PM:
Anonymous [EMAIL PROTECTED] wrote Saturday, October 20, 2007 11:55 AM:
As a workaround, one could try to manually replace zlib32.dll in a Windows
GSView 4.8 installation with the current zlib1.dll version 1.2.3.
[...]
Unfortunately the maintainer
only until now.
The zlib32.dll distributed in the installation is now the official
zlib1.dll from zlib.net; due to a lack of an official libbz2.dll this
one is provided by the maintainer.
Stefan Kanthak
-)sets the ACLs it overwrites the registry
entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!
I informed Microsoft in the last two years several times about this
problem and discussed it with various members of their Microsoft Security
Response Center, but the problem persists.
Stefan
pthreadVC2.dll is installed as
%CommonProgramFiles%\TerraTec\Cyberlink\Decoder\pthreadVC2.dll
Stefan Kanthak
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable DLLs. Admin beware!
TIMELINE:
2009-06-16 phone call with Terratec's hotline - they were unable
Update.
If not, all users of OpenOffice.org (as well as other poorly crafted
software which distributes outdated 3rd-party DLLs) are put at risk!
Stefan Kanthak
runtime DLLs.
See http://support.microsoft.com/kb/973544 and
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
Stefan Kanthak
/973552 and
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
Stefan Kanthak
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff on
Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of wide symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports junctions, which
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
Stefan
Michael Wojcik wrote:
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Saturday, 06 February, 2010 08:21
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff
on Windows,
What exactly do you mean?
Traversing symlinks
security of customer systems at Nuance?
Stefan Kanthak
to properly quote command lines,
and their QA seems sound asleep!
Stefan Kanthak
1.0.2
gets downloaded upon start, updated 3 times since then due to
vulnerabilities; see http://www.bzip.org/downloads.html
Users who downloaded this security product before 2010-09-07 should
get a new copy ASAP!
Stefan Kanthak
Timeline:
2010-07-08: informed vendor support
StenoPlasma @ www.ExploitDevelopment.com wrote:
Much ado about nothing!
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
There is NO privilege escalation. A local administrator is an
George Carlson gcarl...@vccs.edu wrote:
Your objections are mostly true in a normal sense.
And in abnormal sense?
However, it is not true when Group Policy is taken into account.
Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't
StenoPlasma @ ExploitDevelopment stenopla...@exploitdevelopment.com wrote:
Your MUA is defective, it strips the References: header!
Stefan,
For you information:
Cached domain accounts on a local system are not stored in the SAM. They
are stored in the SECURITY registry hive. When a
Andrea Lee and...@kattrap.net wrote:
I hope I'm not just feeding the troll...
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
A local admin is an admin on one system. The domain admin is an admin
all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.
Vendor was informed via http://www.faststone.org/contactUs.htm,
but did not respond at all!
Stefan Kanthak
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable
at all!
2011-06-17 vulnerability report published
Stefan Kanthak
(no reply)
2011-06-19vulnerability report published
Stefan Kanthak
Brad Hards br...@frogmouth.net wrote:
On Sunday 19 June 2011 11:37:33 Stefan Kanthak wrote:
soft Xpansion www.soft-xpansion.com distributes their (freeware)
products Perfect PDF 7 Master and Perfect PDF 7 Reader (the
current files are dated 2011-05-10) with OUTDATED and VULNERABLE
Visual C
and
https://encrypted.google.com/search?num=100safe=offq=%22ssoexec%22+OR+%22ssoreset%22
only find hits that show problems with malware
2012-03-04no more answer from vendor, report published
Stefan Kanthak
---
Vendor was informed and has acknowledged the bug, but won't neither
issue an immediate fix nor even a warning note stating the bug.
regards
Stefan Kanthak
[0] http://support.microsoft.com/kb/919240
[1] http://support.microsoft.com/kb/943043
[2] http://support.microsoft.com/kb/944820
[3] http
additional inherited access rights.
regards
Stefan Kanthak
Stefan Kanthak
Timeline:
2012-05-19vendor informed
... no reaction until
2012-06-25report published
:\Program Files\Suite Name
|
| For your support files shared only within the suite:
|
| C:\Program Files\Suite Name\System
but create a mess instead and place numerous copies of these (and some more)
libraries in various different locations!
Stefan Kanthak
Timeline:
2012-03-16problem reported
offer the necessary
update MS11-025, since Windows Update Agent doesnt detect the
improperly installed MSVCRT!
Stefan Kanthak
[1] Application Error Reporting alias Windows Error Reporting
SQL Server 2005 and several subcomponents
SQL Server 2008 and several subcomponents
SQL
bit of serious software engineering and due
diligence in your development, build and production processes?
It's a stupid idea to build security software from vulnerable components!
Stefan Kanthak
Timeline
2012-08-24informed vendor support
2012-09-24no reaction/reply from
informed maintainer about problems still not fixed
2011-01-12maintainer released current version 0.85.1
2012-03-08asked maintainer for a fix for the vulnerable MSVCRT
2012-03-09maintainer replied planning update before easter
2012-10-03report published
Stefan Kanthak
2012-11-02report published
Stefan Kanthak
!
Stefan Kanthak
of the flash player plugin/activex control wrong!
Tested with MSIE6 to MSIE9 on Windows XP to Windows 7,
and Mozilla Firefox 1x.x on Windows XP and Windows 7.
Stefan Kanthak
PS: Opera doesn't show this error!
.
This command may be called by Windows Update Agent or deployment
agents running under the LocalSystem account.
Timeline:
~
2012-12-05vendor informed
2013-12-06vendor acknowledged report
2013-02-13vendor released fixed version
Stefan Kanthak
:
~
2013-05-03vendor informed
2013-05-05vendor replied:
3CX Phone is freeware, use another software
I second that: don't use software from 3CX!
2013-05-06report published
Stefan Kanthak
\\DeskUpdate.exe
The last entry is a pathname with unquoted spaces and allows the
execution of the rogue programs C:\Program.exe and/or
C:\Program Files.exe, as documented in
http://msdn.microsoft.com/library/ms682425.aspx
Stefan Kanthak
PS: long pathnames containing spaces exist for about 20 years
now
Engine Components\\UNS\\UNS.exe
Stefan Kanthak
.
The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.
JFTR: cf. http://seclists.org/fulldisclosure/2011/Sep/160
Stefan Kanthak
report published
Stefan Kanthak
[*] DW20Shared.msi is bundled with numerous other Microsoft products too,
including
* Windows Defender
* Forefront Security ...
* Office 2003 (and every single component of it, Word, Excel, PowerPoint,
Outlook, Visio, Access, Publisher
and later only.
Stefan Kanthak
PS: the PDF Preview Handlers which are installed unconditionally on
Windows XP are superfluous too (at least when Outlook 2007 is not
installed).
Cf. http://msdn.microsoft.com/library/cc144143.aspx
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6
others of
numerous other developers/companies, which come with outdated and
vulnerable MSI merge modules, are installed,
* the current version of the standalone redistributable packages of the
resp. MSCVRT, MFC, ATL etc. are NOT installed,
are (potentially) VULNERABLE!
stay tuned
Stefan
-B7D0-4933-B1A9-3707EBACC573}]
UninstallString=C:\\Program Files (x86)\\Intel\\OpenCL
SDK\\2.0\\Uninstall\\setup.exe -uninstall
stay tuned
Stefan Kanthak
PS: if you want to catch such beginners errors place a copy of
http://home.arcor.de/skanthak/download/SENTINEL.EXE as
%SystemDrive
://support.microsoft.com/kb/835322
When installed via the MSVCRT++ redistributable package,
Windows Update but keeps this component up-to-date!
Stefan Kanthak
Timeline:
~
2013-08-06informed developer
2013-08-06developer replies:
a. EAC was released two months after
.
Stefan Kanthak
Reindl Harald h.rei...@thelounge.net wrote:
Am 11.08.2013 22:15, schrieb Stefan Kanthak:
Reindl Harald h.rei...@thelounge.net wrote:
Am 10.08.2013 16:52, schrieb Tobias Kreidl:
It is for this specific reason that utilities like suPHP can be used as a
powerful tool to at least keep
.
so do we now disable unlink();
Not WE, but the developer.
All functions which are not used in the typical operating
environment of the resp. program (see above) have to be turned
off by default. file handling is NONE of PHPs typical operations!
Stefan Kanthak
and insecure programs.
stay tuned
Stefan Kanthak
PS: it's getting worse^Wmore complicated (and as everybody with a
sane mind knows: complexity reduces/ruins safety and security)!
With Windows Vista Microsoft introduced user account control
(really: they surrendered to all those
diligence?
And what about quality assurance?
JFTR: the unqualified filenames used in this cruft are nice targets for
binary planting attacks!
stay tuned
Stefan Kanthak
the source of the problem!
Instead they introduced things like the security theatre UAC: with
Windows 8 the user account(s) created during setup still have
administrative rights. And Windows 7 introduced the silent elevation
for about 70 of Microsoft own programs...
stay tuned
Stefan Kanthak
PS: if you
Jeffrey Walton wrote:
Hi Stefan,
... administrative rights for every user account
This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.
Hmmm... XP/x64 appears to have a bug such that the second user also
needs to be admin
marks with arguments such as %1 that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.
http://msdn.microsoft.com/library/dd203067.aspx
http://msdn.microsoft.com/library/cc144109.aspx
regards
Stefan Kanthak
| in a position to carry out these attacks could also carry out many
| other attacks we can't stop. The link provided below explains this in
| detail.
OUCH!
Stefan Kanthak
to be a security boundary, so such an escalation is not
considered to be a security vulnerability.
2013-10-02report published
stay tuned
Stefan Kanthak
alias
http://technet.microsoft.com/security/bulletin/ms12-034
stay tuned
Stefan Kanthak
PS: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist: the path to EVERY
executable in Windows is well-known, all
https://support.microsoft.com/kb/2826020 alias
http://technet.microsoft.com/security/bulletin/MS13-086
Whoever uses outdated and vulnerable versions of products is just stupid!
Stefan Kanthak
\Session Manager]
SafeProcessSearchMode=dword:0001
stay tuned
Stefan Kanthak
PS: when filename.bat or filename.cmd are started from Windows
Explorer the console window of the new process shows the icon of
the CMD.EXE found in the 'current working directory' (i.e. the
directory where
properly.
The problem is not the C language!
The problem is the inconsistent (and sloppy) implemenation of similar
functions of the Win32 API and their inconsistent and sloppy documentation.
regards
Stefan Kanthak
On Sun, Nov 3, 2013 at 4:30 PM, Stefan Kanthak stefan.kant...@nexgo.dewrote:
Hi
() == ERROR_INVALID_PARAMETER or similar.
FIX: ALL interfaces of the Win32 API should^WMUST verify (ALL) their
arguments properly before using them and return an appropriate,
documented error code.
stay tuned
Stefan Kanthak
___
Full-Disclosure - We believe
\
Au_.exe in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe
regards
Stefan Kanthak
of QA?
And some more to teach beginner courses on (Windows) programming to
your developers?
Long filenames containing spaces are used in Windows for 20 years
now and your developers still dont get them right?
regards
Stefan Kanthak
JFTR: the driver for the HP OfficeJet 6700 is not the only one
-too-ha.html
https://technet.microsoft.com/library/security/ms07-061
Quotes bite, but missing quotes bite too^Wmore!
regards
Stefan Kanthak
PS: the following command lines with unquoted pathnames execute C:\Program.exe:
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media
Player\shell\open
Apples developers start to develop a sense for safety and security:
stay away from their (Windows) software!
regards
Stefan Kanthak
Timeline:
~
2014-06-06informed vendor
2014-06-06vendor sent automated response
... no more reaction
2014-07-03requested status
| the executable path in lpCommandLine, as shown in the example below.
Long filenames were introduced 20 years ago, but M$FTs developers still
can't handle them properly, and their QA is unable to detect such silly
and trivial to spot bugs!
regards
Stefan Kanthak
PS: yes, it needs
not sure why did you bring UAC into the discussion - did I miss
something? or was it just an argument you've heard before and wanted
to reply to it preventively?)
Cheers!
regards
Stefan
On Fri, Jul 25, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Gynvael Coldwind wrote
, and you have
to use sudo explictly.
On Windows, all user accounts created during setup are administrator
accounts which show the above mentioned behaviour.
Is this enough of a difference?
Sent from my Surface Pro 3
ARGH!
I don't need any advertising!
Stefan
From: Stefan Kanthak
3
From: Stefan Kanthak
Sent: ?Monday?, ?July? ?28?, ?2014 ?10?:?43
To: Michael Cramer, Gynvael Coldwind
Cc: fulldisclosure, Brandon Perry, bugtraq@securityfocus.com
Michael Cramer mike.cra...@outlook.com wrote:
sudo make-me-a-sandwich.py
How is this different from
with the decision between tightening up
the behavior of an API vs. breaking customer applications that people
regularly use, what would your choice be?
I dont need to choose!
There was no compatibility to break.
Stefan
Original message
From: Stefan Kanthak
Date:07/30/2014 3:19 AM
not take into account, again) WinExec()
supports under Win32 exact the same semantics as under Win16.
Stefan
Original message
From: Stefan Kanthak
Date:07/30/2014 8:26 AM (GMT-08:00)
To: Joe Souza , Michael Cramer , Gynvael Coldwind
Cc: fulldisclosure , Brandon Perry , bugtraq
point.
Really?
Where did I write that CreateProcess() should guess how many parts of
the command line form the path to the application?
You still dont get the point, you dont even read what I wrote.
Stefan
-Original Message-
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent
them properly.
If you detect such silly beginners errors: report them and get them fixed.
If the vendor does not fix them: trash the trash!
regards
Stefan Kanthak
PS: for static detection of these silly beginners errors download and
run http://home.arcor.de/skanthak/download/SLOPPY.CMD
, Protected Administrator should be considered the equivalent
| of Administrator.
regards
Stefan Kanthak
and upgrade
to Windows Live Mail 2012 ASAP!
regards
Stefan Kanthak
PS: the associations for .eml and .nws DONT show this beginners error:
WindowsLiveMail.Email.1=C:\Program Files (x86)\Windows
Live\Mail\wlmail.exe /eml:%1
WindowsLiveMail.News.1=C:\Program Files (x86)\Windows
Live\Mail
4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
the rogue
programs C:\Program.exe or C:\Program Files\Microsoft.exe
regards
Stefan Kanthak
://www.howsmyssl.com/,
https://www.ssllabs.com/ssltest/viewMyClient.html or
https://cc.dcsec.uni-hannover.de/ with Internet Explorer 8 and
later after the reboot.
have fun
Stefan Kanthak
JFTR: IPsec is able to use perfect forward secrecy for MANY years,
see http://support.microsoft.com/kb/252735
Cf. http://support.microsoft.com/kb/24671743 and
http://support.microsoft.com/kb/2565063 alias
http://www.microsoft.com/technet/security/bulletin/ms11-025
Will Apple's developers and their QA EVER learn how to use filenames
with embedded spaces properly?
regards
Stefan Kanthak
to
develop a sense for safety and security:
stay away from their (Windows) software!
regards
Stefan Kanthak
Timeline:
~
2014-06-06informed vendor
2014-06-06vendor sent automated response
... no more reaction
2014-07-03requested status
... no answer
AppInit_DLLs are only supported on Windows NT
(see https://support.microsoft.com/kb/134655) a braindead
developer choose not to use a REG_MULTI_SZ value (avoiding
the need to interpret spaces as separator and thus supporting
long filenames).
have fun
Stefan Kanthak
your changes and import the file into the registry:
REGEDIT.EXE /S OUTLOOK.REG
Start SPAD again and find Microsoft Office Outlook now displayed as
mail program.
enjoy
Stefan Kanthak
[*] at least Windows 7, but I assume this behaviour was introcuded
with Windows Vista; in earlier versions
dir\program.exe name
c:\program files\sub dir\program name.exe
JFTR: without this transformation splitting of the command line
into the argv vector would give wrong results ... in
presense of CreateProcess*() braindead behaviour!
Stay tuned!
regards
Stefan Kanthak
PS
Stefan Kanthak
[*] without
dissecting its *.MSI files.
Until Apple's developers, their QA and their managers start to
develop a sense for their customers safety and security and
due diligence: stay away from Apple's (Windows) software!
stay tuned
Stefan Kanthak
[*] https://cwe.mitre.org/data/definitions/428.html
registering standard verbs, do not set the default value
| for the Open key. The default value contains the display string
| on the menu. The operating system supplies this string for
| standard verbs.
regards
Stefan Kanthak
PS: Windows 7, and of course Windows 8, Windows 8.1
and Thunderbird.
According to the 20+ years old Designed for Windows guidelines!
shared components go to %CommonProgramFiles%\vendor\component.
JFTR: are you kidding?
(why) are Gecko, NSS, XUL, ICU etc. NO shared components?
stay tuned
Stefan Kanthak
['] Windows SetupAPI exists since
when notified
over and over again!
Defense in depth?
Nope!
Software engineering?
Nope!
BRAINDEAD behaviour of Windows CreateProcess*() functions?
Yes, of course, always!
Taking care for the safety and security of their customers systems?
Nope!
stay tuned (and far away from crapware!)
Stefan
| accounts for other people on your PC, it's a good idea to give
| them standard accounts.
stay tuned
Stefan Kanthak
. the pathname of the found executable gets quoted if it contains
a space.
The documentation of the function GetCommandLine()
https://msdn.microsoft.com/en-us/library/ms683156.aspx
but misses this completely!
Stay tuned!
regards
Stefan Kanthak
['] as soon as a name contains a single
software!
Stefan Kanthak
and) Thunderbird and subject to the
restrictions imposed by these programs for non-XUL/chrome Javascript.
Mitigation(s):
~~
Disable profile local installation of extensions in Mozilla products,
enable ONLY application global installation of extensions.
stay tuned
Stefan Kanthak
about this issue for the time being.
JFTR: top posting is a bad habit too!
On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Hi @ll,
Mozilla Thunderbird 38 and newer installs and activates per default
the 'Lightning' extension.
Since extensions live
://seclists.org/fulldisclosure/2009/Sep/0
JFTR: Windows Vista and later include NEWER versions of these DLLs,
there is absolutely no need to redistribute an ancient version
in your product at all (especially after Windows XP and 2003
have reached end-of-life)!
stay tuned
Stefan Kanthak
Ansgar Wiechers bugt...@planetcobalt.net wrote:
On 2015-08-05 Stefan Kanthak wrote:
Mario Vilas mvi...@gmail.com wrote:
If this is the case then the problem is one of bad file permissions,
not the location.
Incidentally, many other browsers and tons of software also store
executable code
1 - 100 of 173 matches
Mail list logo
