"Gynvael Coldwind" <gynv...@coldwind.pl> wrote: > Well spotted.
Thanks. It's but a shame that such silly beginners errors are still present in current software. I didn't bother to look specifically for it since my "customers" and I used german versions of Windows NT5.x until now, where %ProgramFiles% is C:\Programme, without a space. I also installed mal^Wsoftware like Microsoft Office or Mozilla Firefox not into their default locations %ProgramFiles%\Microsoft Office or %ProgramFiles%\Mozilla Firefox, but used C:\Programme\Microsoft\Office resp. C:\Programme\Mozilla\Firefox instead to mitigate such errors. > That said, don't you have to be an admin to be able to create files in > these directories anyway? Yes. But I mentioned that: | Since every user account created during Windows setup has administrative | rights every user owning such an account can create the rogue program, | resulting in a privilege escalation. | | JFTR: no, the "user account control" is not a security boundary! Of course an administrator has many more ways to run a program under another user account. But this one is for dummies. > So this is only exploitable on FAT, or by admin, or if the ACLs are > set incorrectly right? Correct (but FAT cant be used any more for the boot partition of Windows Vista and later). These silly beginners errors but show that neither the developers nor their QA are doing their jobs well.-( And if they did not spot such simple errors, what about the "real" bugs? Unfortunately Apple is not the only culprit. Some WHQL-signed drivers run C:\Program.exe under "LocalSystem" account during their installation ($VENDOR, you know who you are, I reported this bug some years ago, and you did not react at all), quite some application packages of major companies install services running under "LocalSystem" account with ImagePath=C:\Program Files\... or COM-out-of-process servers with LocalServer32=C:\Program Files\..., and installer creators like NSIS MSI or InstallShield dont help their users to avoid this silly beginners error (see <http://seclists.org/fulldisclosure/2013/May/14> and <http://seclists.org/fulldisclosure/2013/May/37> for just the tip of the iceberg). "navigare^Wsoftware engineering necesse est!" regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/