On Wed, 8 Nov 2006, Thomas Pollet wrote: > Windows handles UNC paths the same way as local paths. Another mechanism > used to load a remote dll using a UNC path is described in > http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf > here the "system" directory is overwritten with a (unc) directory owned by > by the attacker. When GetSystemDirectoryW() is called to load the > faultrep.dll on exception, an attacker can supply his backdoored > faultrep.dll. I don't think you should classify this as a vulnerability, > it's known windows behaviour (yet, windows, a vulnerability all by itself?).
Two issues: 1. The loading of the library... I've just had a very long discussion with someone who understands this far better than me. I am wrong (on that part), it's not a "vulnerability" but it's damn close, and can be used to fascilitate quite a bit. I see it as an issue, most people don't. It is a bummer for desktop firewalls though, no? :) http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf ^^ indeed 2. Issue that got to mind, making a leap from the first one... The point I was trying to make is very different, and speaks of what can potentially be done with this if this was code execution. Using the PE as a vector to attack the PE loader with (potential!) code execution for privilage esclation. Using the PE itself as a vector of attack. Much like you would use a doc file to exploit something in Word.. only not. :) Thanks though - good stuff! Gadi. > > Regards, > Thomas > > The mother of all downloaders. > > > > "The Zone has a new King!" <we're not worthy x3> > > -- Jeff, Coupling (BBC, UK). > > > > Gadi. > > > > > -- G > > > > > > 2006/11/8, Solar Eclipse <[EMAIL PROTECTED]>: > > > > > > > > On Tue, Nov 07, 2006 at 10:56:42AM -0800, Peter Ferrie wrote: > > > > > Why is the idata size present? AFAIK, no Windows version checks it. > > > > > Four bytes shorter, then (stop at the idata rva non-zero byte)? > > > > > > > > You're right, you can remove the last field and bring the file size > > down > > > > to 133 bytes. That's what I get for claiming that the size can't be > > > > improved :-) > > > > > > > > Solar > > > > _______________________________________________ > > > > Code-Crunchers mailing list > > > > [email protected] > > > > http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
