\Session Manager]
SafeProcessSearchMode=dword:0001
stay tuned
Stefan Kanthak
PS: when filename.bat or filename.cmd are started from Windows
Explorer the console window of the new process shows the icon of
the CMD.EXE found in the 'current working directory' (i.e. the
directory where
() == ERROR_INVALID_PARAMETER or similar.
FIX: ALL interfaces of the Win32 API should^WMUST verify (ALL) their
arguments properly before using them and return an appropriate,
documented error code.
stay tuned
Stefan Kanthak
___
Full-Disclosure - We believe
properly.
The problem is not the C language!
The problem is the inconsistent (and sloppy) implemenation of similar
functions of the Win32 API and their inconsistent and sloppy documentation.
regards
Stefan Kanthak
On Sun, Nov 3, 2013 at 4:30 PM, Stefan Kanthak stefan.kant...@nexgo.dewrote:
Hi
| in a position to carry out these attacks could also carry out many
| other attacks we can't stop. The link provided below explains this in
| detail.
OUCH!
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
I am truly shocked that seemingly, stuff like this needs to be said in
the year of 2013.
Completely right!
I'd have supposed that things like these should be known by *anyone*
doing anything even remotely similar to software development *at least*
since the end of the 8.3 filename era 15
marks with arguments such as %1 that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.
http://msdn.microsoft.com/library/dd203067.aspx
http://msdn.microsoft.com/library/cc144109.aspx
regards
Stefan Kanthak
the source of the problem!
Instead they introduced things like the security theatre UAC: with
Windows 8 the user account(s) created during setup still have
administrative rights. And Windows 7 introduced the silent elevation
for about 70 of Microsoft own programs...
stay tuned
Stefan Kanthak
PS: if you
Jeffrey Walton wrote:
Hi Stefan,
... administrative rights for every user account
This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.
Hmmm... XP/x64 appears to have a bug such that the second user also
needs to be admin
diligence?
And what about quality assurance?
JFTR: the unqualified filenames used in this cruft are nice targets for
binary planting attacks!
stay tuned
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
and insecure programs.
stay tuned
Stefan Kanthak
PS: it's getting worse^Wmore complicated (and as everybody with a
sane mind knows: complexity reduces/ruins safety and security)!
With Windows Vista Microsoft introduced user account control
(really: they surrendered to all those
://support.microsoft.com/kb/835322
When installed via the MSVCRT++ redistributable package,
Windows Update but keeps this component up-to-date!
Stefan Kanthak
Timeline:
~
2013-08-06informed developer
2013-08-06developer replies:
a. EAC was released two months after
-B7D0-4933-B1A9-3707EBACC573}]
UninstallString=C:\\Program Files (x86)\\Intel\\OpenCL
SDK\\2.0\\Uninstall\\setup.exe -uninstall
stay tuned
Stefan Kanthak
PS: if you want to catch such beginners errors place a copy of
http://home.arcor.de/skanthak/download/SENTINEL.EXE as
%SystemDrive
and later: run the command given above and see yourself!
stay tuned
Stefan Kanthak
PS: if you find any of these side-by-side DLLs in %ProgramFiles%,
%ProgramFiles(x86)% or other locations: ask the developers/vendors
who installed them there to take a REALLY THOROUGH look at
http
others of
numerous other developers/companies, which come with outdated and
vulnerable MSI merge modules, are installed,
* the current version of the standalone redistributable packages of the
resp. MSCVRT, MFC, ATL etc. are NOT installed,
are (potentially) VULNERABLE!
stay tuned
Stefan
and later only.
Stefan Kanthak
PS: the PDF Preview Handlers which are installed unconditionally on
Windows XP are superfluous too (at least when Outlook 2007 is not
installed).
Cf. http://msdn.microsoft.com/library/cc144143.aspx
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6
Hi @ll,
many (if not most of the) Windows system utilities and system routines
(including the kernel and its subsystems) as well as many user programs
(including the shell Windows Explorer, Windows Media Player, Internet
Explorer, Microsoft Office, etc.) load libraries/satellites at runtime
via
report published
Stefan Kanthak
[*] DW20Shared.msi is bundled with numerous other Microsoft products too,
including
* Windows Defender
* Forefront Security ...
* Office 2003 (and every single component of it, Word, Excel, PowerPoint,
Outlook, Visio, Access, Publisher
.
The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.
JFTR: cf. http://seclists.org/fulldisclosure/2011/Sep/160
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter
\\DeskUpdate.exe
The last entry is a pathname with unquoted spaces and allows the
execution of the rogue programs C:\Program.exe and/or
C:\Program Files.exe, as documented in
http://msdn.microsoft.com/library/ms682425.aspx
Stefan Kanthak
PS: long pathnames containing spaces exist for about 20 years
now
Engine Components\\UNS\\UNS.exe
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
2013-04-26asked vendor:
please elaborate your standards and your qualification
process
no answer
2013-05-05report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http
:
~
2013-05-03vendor informed
2013-05-05vendor replied:
3CX Phone is freeware, use another software
I second that: don't use software from 3CX!
2013-05-06report published
Stefan Kanthak
___
Full-Disclosure - We believe
objective evidence the safest phone
system on the market. If you dont like it, use asterisk.
I second that: dont use software from 3CX! Request your money back.
2013-05-06report published
Stefan Kanthak
___
Full-Disclosure - We
.
This command may be called by Windows Update Agent or deployment
agents running under the LocalSystem account.
Timeline:
~
2012-12-05vendor informed
2013-12-06vendor acknowledged report
2013-02-13vendor released fixed version
Stefan Kanthak
of the flash player plugin/activex control wrong!
Tested with MSIE6 to MSIE9 on Windows XP to Windows 7,
and Mozilla Firefox 1x.x on Windows XP and Windows 7.
Stefan Kanthak
PS: Opera doesn't show this error!
___
Full-Disclosure - We believe in it.
Charter
!
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
2012-11-02report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
informed maintainer about problems still not fixed
2011-01-12maintainer released current version 0.85.1
2012-03-08asked maintainer for a fix for the vulnerable MSVCRT
2012-03-09maintainer replied planning update before easter
2012-10-03report published
Stefan Kanthak
bit of serious software engineering and due
diligence in your development, build and production processes?
It's a stupid idea to build security software from vulnerable components!
Stefan Kanthak
Timeline
2012-08-24informed vendor support
2012-09-24no reaction/reply from
offer the necessary
update MS11-025, since Windows Update Agent doesnt detect the
improperly installed MSVCRT!
Stefan Kanthak
[1] Application Error Reporting alias Windows Error Reporting
SQL Server 2005 and several subcomponents
SQL Server 2008 and several subcomponents
SQL
-)satisfied
customers, ...
Joe Average can't tell the difference between a program which is designed,
developed, built and maintained according to the state of the art, and some
piece of crap that is not. He but only sees the (nice or promising) GUI of
the product and it's price tag.
Stefan Kanthak
think any more on the subject will just result in another flare-up of FD
vs RD vs FO vs GGF, so I'll probably not spend too much more time on the
thread - but please feel free to add whatever you may think I've missedS.
Stefan
On 7/8/12 5:07 AM, Stefan Kanthak stefan.kant...@nexgo.de wrote
\MIGRATE.INF or \amd64\MIGRATE.INF ---
[Version]
Provider = Stefan Kanthak
Signature = $Windows NT$
[AddReg]
; Disable creation of 8.3 DOS filenames (see MSKB 121007 210638)
HKLM,System\ControlSet001Control\FileSystem,NTFSDisable8dot3NameCreation,65537,1
--- EOF
:\Program Files\Suite Name
|
| For your support files shared only within the suite:
|
| C:\Program Files\Suite Name\System
but create a mess instead and place numerous copies of these (and some more)
libraries in various different locations!
Stefan Kanthak
Timeline:
2012-03-16problem reported
Stefan Kanthak
Timeline:
2012-05-19vendor informed
... no reaction until
2012-06-25report published
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
additional inherited access rights.
regards
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
---
Vendor was informed and has acknowledged the bug, but won't neither
issue an immediate fix nor even a warning note stating the bug.
regards
Stefan Kanthak
[0] http://support.microsoft.com/kb/919240
[1] http://support.microsoft.com/kb/943043
[2] http://support.microsoft.com/kb/944820
[3] http
and
https://encrypted.google.com/search?num=100safe=offq=%22ssoexec%22+OR+%22ssoreset%22
only find hits that show problems with malware
2012-03-04no more answer from vendor, report published
Stefan Kanthak
___
Full
further information.
2011-11-14publish vulnerability report
Stefan Kanthak
JFTR: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist: the path to EVERY
executable in Windows is well-known, all references can use
DIRNAME=%~dp1
Goto :EOF
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Thor (Hammer of God) t...@hammerofgod.com wrote:
Would you mind to break the lines of your posts near column 70?
From your blog:
[ ... ]
I would say our self-serving and marketing-oriented minds remain
challenged to understand what security really is, but regardless,
continue to find ways
(no reply)
2011-06-19vulnerability report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
at all!
2011-06-17 vulnerability report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.
Vendor was informed via http://www.faststone.org/contactUs.htm,
but did not respond at all!
Stefan Kanthak
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable
Jeremy SAINTOT jeremy.sain...@gmail.com wrote:
Correct me if I'm wrong, but here is what I think of that :
You are wrong!
A Domain user that is a Local admin of his workstation is different than
a Domain user which is Domain Admin.
A local administrator has all the powers on his computer,
StenoPlasma @ ExploitDevelopment stenopla...@exploitdevelopment.com wrote:
Your MUA is defective, it strips the References: header!
Stefan,
For you information:
Cached domain accounts on a local system are not stored in the SAM. They
are stored in the SECURITY registry hive. When a
Andrea Lee and...@kattrap.net wrote:
I hope I'm not just feeding the troll...
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
A local admin is an admin on one system. The domain admin is an admin
George Carlson gcarl...@vccs.edu wrote:
Your objections are mostly true in a normal sense.
And in abnormal sense?
However, it is not true when Group Policy is taken into account.
Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't
StenoPlasma @ www.ExploitDevelopment.com wrote:
Much ado about nothing!
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
There is NO privilege escalation. A local administrator is an
1.0.2
gets downloaded upon start, updated 3 times since then due to
vulnerabilities; see http://www.bzip.org/downloads.html
Users who downloaded this security product before 2010-09-07 should
get a new copy ASAP!
Stefan Kanthak
Timeline:
2010-07-08: informed vendor support
Dan Kaminsky wrote:
On Tue, Sep 14, 2010 at 6:07 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Dan Kaminsky wrote:
Short version: Go see how many DLLs exist outside of c:\windows\system32.
Look, ye mighty, and despair when you realize all those apps would be broken
by CWD DLL blocking
Christian Sciberras wrote:
and failed to use it right!
Well, I suppose I could have used neat tricks such as specifically and
directly loading the bad dll.
But as much as security goes, those are cheap tricks.
Wrong again! You dont need tricks, you need to understand Windows' DLL
search
Christian Sciberras wrote:
No. Guess where the D in DLL comes from!
Static linking occurs when the linker builds a binary (this might be a
DLL.-) using *.OBJ and *.LIB.
Dynamic linking occurs when the loader loads a binary (again: this might
be a DLL) into memory and resolves its
Christian Sciberras wrote:
Yes. Once again: get your homework done!
http://www.codeproject.com/KB/DLL/dynamicdllloading.aspx
That's a double DYNAMIC there!
Did you even bother to read the article? The very first paragraph
states the difference between the two.
Oh, and for the records,
Christian Sciberras wrote:
I wrote my own example POC.
and failed to use it right!
[...]
DHPOC\example\the-install-folder\
DHPOC\example\the-install-folder\dhpocApp.exe
DHPOC\example\the-install-folder\dhpocDll.dll
DHPOC\example\the-remote-folder
Dan Kaminsky wrote:
h0h0h0. There be history, Larry.
Short version: Go see how many DLLs exist outside of c:\windows\system32.
Look, ye mighty, and despair when you realize all those apps would be broken
by CWD DLL blocking.
No, that's the too much shortened version.
The correct version
Paul Szabo wrote:
Christian Sciberras uuf6...@gmail.com wrote:
... the user has opened the bad file ...
The victim views a data file, does not (directly) run an executable.
The data file could be as harmless as a Word document or a plain-text
file.
Word (resp. MS Office) documents ain't
paul.sz...@sydney.edu.au wrote:
Fyodor fyo...@insecure.org wrote:
nmap = 5.21 is vulnerable to Windows DLL Hijacking Vulnerability.
Nmap is not vulnerable. DLL hijacking works because of an unfortunate
interaction between apps which register Windows file extensions and
the default
Christian Sciberras wrote:
I can't take THAT seriously. At least not all of it.
The part that interested me most:
4. Should I find such vulnerability in many applications as I can?
You should not. It's just a waste of time and your energy. Focus on most
popular application
security of customer systems at Nuance?
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Michael Wojcik wrote:
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Saturday, 06 February, 2010 08:21
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff
on Windows,
What exactly do you mean?
Traversing symlinks
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
Stefan
___
Full-Disclosure - We believe in it.
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff on
Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of wide symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports junctions, which
Update.
If not, all users of OpenOffice.org (as well as other poorly crafted
software which distributes outdated 3rd-party DLLs) are put at risk!
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
pthreadVC2.dll is installed as
%CommonProgramFiles%\TerraTec\Cyberlink\Decoder\pthreadVC2.dll
Stefan Kanthak
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable DLLs. Admin beware!
TIMELINE:
2009-06-16 phone call with Terratec's hotline - they were unable
-)sets the ACLs it overwrites the registry
entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!
I informed Microsoft in the last two years several times about this
problem and discussed it with various members of their Microsoft Security
Response Center, but the problem persists.
Stefan
available).
Response(s): NONE
Reaction(s): NONE
Stefan Kanthak
PS: http://service.t-online.de/c/12/70/85/92/12708592.html
states that this software has been evaluated by TUeV Saarland and
got their label TUeV Saarland: Gepruefte Home-Banking Software.
Whatever they checked: it wasn't
Dan Kaminsky wrote:
Eric Rescorla wrote:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the
, but are not
fool proof.
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Larry Seltzer wrote:
I actually do have a response fom Microsoft on the broader issue, but it
doesn't address these issues or even concded that there's necessarily
anything they can do about it. They instead speak of the same
precautions for physical access that they spoke of a couple weeks
70 matches
Mail list logo
