\
Au_.exe in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe
regards
Stefan Kanthak
___
Sent
rights every user owning such an account can create the rogue program,
resulting in a privilege escalation.
JFTR: no, the user account control is not a security boundary!
regards
Stefan Kanthak
PS: for static detection of these silly beginners errors download and
run http://home.arcor.de
and
http://seclists.org/fulldisclosure/2013/May/37 for just the tip of the
iceberg).
navigare^Wsoftware engineering necesse est!
regards
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web
security response team the vulnerable driver was
pulled from Windows Update.
Unfortunately (or should I write: of course) the drivers offered on
Synaptics web site have this silly bug too!
regards
Stefan Kanthak
PS: the following lines of the SYNPD.INF show the same silly bug:
|
HKLM,Software
which evaluate PATH, i.e.
CreateProcess(), ShellExecute(), CMD.EXE, ... MUST be specified
with their fully qualified pathname.
regards
Stefan Kanthak
Timeline:
~
2014-01-23informed vendor
2014-01-23vendor opens MSRC case 16790
... no more reaction from vendor
2014
| the executable path in lpCommandLine, as shown in the example below.
Long filenames were introduced 20 years ago, but M$FTs developers still
can't handle them properly, and their QA is unable to detect such silly
and trivial to spot bugs!
regards
Stefan Kanthak
PS: yes, it needs
not sure why did you bring UAC into the discussion - did I miss
something? or was it just an argument you've heard before and wanted
to reply to it preventively?)
Cheers!
regards
Stefan
On Fri, Jul 25, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Gynvael Coldwind wrote
them properly.
If you detect such silly beginners errors: report them and get them fixed.
If the vendor does not fix them: trash the trash!
regards
Stefan Kanthak
PS: for static detection of these silly beginners errors download and
run http://home.arcor.de/skanthak/download/SLOPPY.CMD
and upgrade
to Windows Live Mail 2012 ASAP!
regards
Stefan Kanthak
PS: the associations for .eml and .nws DONT show this beginners error:
WindowsLiveMail.Email.1=C:\Program Files (x86)\Windows
Live\Mail\wlmail.exe /eml:%1
WindowsLiveMail.News.1=C:\Program Files (x86)\Windows
Live\Mail
, Protected Administrator should be considered the equivalent
| of Administrator.
regards
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
___
Sent through the Full Disclosure mailing
://www.howsmyssl.com/,
https://www.ssllabs.com/ssltest/viewMyClient.html or
https://cc.dcsec.uni-hannover.de/ with Internet Explorer 8 and
later after the reboot.
have fun
Stefan Kanthak
JFTR: IPsec is able to use perfect forward secrecy for MANY years,
see http://support.microsoft.com/kb/252735
to
develop a sense for safety and security:
stay away from their (Windows) software!
regards
Stefan Kanthak
Timeline:
~
2014-06-06informed vendor
2014-06-06vendor sent automated response
... no more reaction
2014-07-03requested status
... no answer
Google Chrome 39.
regards
Stefan Kanthak
PS: To catch all instances of this beginners error download
http://home.arcor.de/skanthak/download/SENTINEL.CMD,
http://home.arcor.de/skanthak/download/SENTINEL.DLL,
http://home.arcor.de/skanthak/download/SENTINEL.EXE and
http
in Windows 8.1) to dump offline registry hives and to detect errors
and inconsistencies in key names, value names and value data.
regards
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
^Wadministrator BEWARE!
regards
Stefan Kanthak
JFTR: unfortunately there dont exist registry entries like those
for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11
to generally block the offering/installation of Silverlight
or Microsoft Security Essentials per Windows Update
AppInit_DLLs are only supported on Windows NT
(see https://support.microsoft.com/kb/134655) a braindead
developer choose not to use a REG_MULTI_SZ value (avoiding
the need to interpret spaces as separator and thus supporting
long filenames).
have fun
Stefan Kanthak
://support.microsoft.com/kb/2500212,
https://support.microsoft.com/kb/2565057 and
https://support.microsoft.com/kb/2565063),
which updates the MSVCRT (including header files etc.) to version
10.0.40219.325.
regards
Stefan Kanthak
___
Sent
/Oracle Java 6.x and thus installed on many user systems is
a good trampoline for attacks.
There is ABSOLUTELY no justification for Apple or any other
developer to ship VULNERABLE components at all!
regards
Stefan Kanthak
On Sat, Jan 31, 2015 at 10:11 AM, Stefan Kanthak
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
dir\program.exe name
c:\program files\sub dir\program name.exe
JFTR: without this transformation splitting of the command line
into the argv vector would give wrong results ... in
presense of CreateProcess*() braindead behaviour!
Stay tuned!
regards
Stefan Kanthak
PS
when notified
over and over again!
Defense in depth?
Nope!
Software engineering?
Nope!
BRAINDEAD behaviour of Windows CreateProcess*() functions?
Yes, of course, always!
Taking care for the safety and security of their customers systems?
Nope!
stay tuned (and far away from crapware!)
Stefan
. the pathname of the found executable gets quoted if it contains
a space.
The documentation of the function GetCommandLine()
https://msdn.microsoft.com/en-us/library/ms683156.aspx
but misses this completely!
Stay tuned!
regards
Stefan Kanthak
['] as soon as a name contains a single
[*] without
dissecting its *.MSI files.
Until Apple's developers, their QA and their managers start to
develop a sense for their customers safety and security and
due diligence: stay away from Apple's (Windows) software!
stay tuned
Stefan Kanthak
[*] https://cwe.mitre.org/data/definitions/428.html
software!
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
and) Thunderbird and subject to the
restrictions imposed by these programs for non-XUL/chrome Javascript.
Mitigation(s):
~~
Disable profile local installation of extensions in Mozilla products,
enable ONLY application global installation of extensions.
stay tuned
Stefan Kanthak
://seclists.org/fulldisclosure/2009/Sep/0
JFTR: Windows Vista and later include NEWER versions of these DLLs,
there is absolutely no need to redistribute an ancient version
in your product at all (especially after Windows XP and 2003
have reached end-of-life)!
stay tuned
Stefan Kanthak
xe" name
| "c:\program files\sub dir\program name.exe"
Neither the 4 other possibilities:
"C:\Program" files\sub dir\program name
"C:\Program files\sub" dir\program name
"C:\Program files\sub dir\program" name
&quo
Lee "cant afford a surname" wrote:
> Haifei Li, changing the default behavior to open a window asking the
> user where to save the file would change nothing. A "normal user"
> would just click the "save" button to save the file in the default
> folder. I also don't think
"Shawn McMahon" sybergh...@gmail.com wrote:
> On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kant...@nexgo.de>
> wrote:
>
>>
>> That's why giving unsuspecting users *.EXE to install a software package
>> or to unpack an archive and thus train
"Gynvael Coldwind" wrote:
> Correct me if I'm wrong, but the vulnerability can be summarized as: if you
> run an untrusted .exe you might execute malicious code?
Amen!
> I hardly see this as giving anything new to the attacker who can just
> create a malicious exe file,
"Haifei Li" wrote:
> This is a copied version of my blog post, original version
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.
> Probably it's commonly known that when you try to download
> something on your modern browser e.g.
extracting installers which unpack their
payload to %TEMP%; but these are flawed per concept too!
If you need to support such crap, consider to remove the USER
environment variables %TEMP% and %TMP% of the administrator
account. The administrat
ations with Windows 10:
see <http://home.arcor.de/skanthak/download/W10_PATH.INF> for the
about 2000 registry entries with unqualified pathnames found in the
image of the professional edition in the \sources\install.wim
stay tuned
Stefan Kanthak
[*] see <http://home.arcor.de/skanthak/downlo
ator account that allows you to set up
| your computer and install any programs that you'd like to use. Once
| you finish setting up your computer, we recommend that you create a
| standard account and use it for your everyday computing. If you create
| new user accounts, you should also ma
snt work at
all in standard user accounts when UAC is set to "never elevate".
This is another clear violation of Microsofts own UX guidelines!
stay tuned
Stefan Kanthak
PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds
this and several other mis
directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.
home.arcor.de/skanthak/safer.html> and/or
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.google.de/books?isbn=1437914926> and finally
ot;: Windows
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf
disclosure/2015/Nov/101> titled
Mitigations for "carpet bombing" alias "directory poisoning" attacks against
executable installers.
Nmap-7.01 and WinPcap-Nmap-4.13 have been released and fix these
vulnerabilities.
stay tuned
Stefan Kanthak
___
bilities see Intel's Security Bulletin published today:
<https://service.mcafee.com/FAQDocument.aspx?lc=1033=TS102462>
stay tuned
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
ownloads"
directory;
4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll
and/or RichEd20.dll placed in step 1.
stay tuned
Stefan Kanthak
Timeline:
~
2015-11-15vulnerability report sent to vendor
2015-11-16vendor acknowledges receipt
2015-11-17vend
d be
dumped.
Kaspersky Lab published a security advisory 2015-12-23
<https://support.kaspersky.com/vulnerability.aspx?el=12430#231215>
after they made updated versions of their utilities available on
<https://support.kaspersky.com/viruses/utility>
stay tuned
Stefan Kanthak
()
with <https://support.microsoft.com/en-us/kb/2533623> which but
seems largely unknown to almost all developers of executable
installers and self-extractors.
JFTR: until now I only found one executable installer that was not
susceptible to DLL hijacking. It but uses an unsafe temp
rom step 1 into "%TEMP%\Agent",
then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll,
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
and OLEAcc.dll there;
7. execute "%TEMP%\Agent\TisEZIns.exe";
8. notice the message boxes displayed from
ure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable
lt;http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.google.de/books?isbn=1437914926>
ed a security advisory
<https://www.f-secure.com/en/web/labs_global/fsc-2015-4>
and made an updated version of their online scanner available on
<https://www.f-secure.com/en/web/home_global/online-scanner>
CAVEAT: F-Secure's fix works only on Windows Vista and newer versions;
th
"Shawn McMahon" <sybergh...@gmail.com> wrote:
> On Wed, Dec 23, 2015 at 7:13 AM, Stefan Kanthak <stefan.kant...@nexgo.de>
> wrote:
>
>> Hi @ll,
>>
>> F-Secure's online virus scanner F-SecureOnlineScanner.exe, available
>> via <https://www
"Sarah Allen" wrote:
> TrueCrypt ceased development back in 2014.
Which but does not mean/imply that everybody abandons TrueCrypt.
> Please refer to the below link to migrate to an alternative
> (BitLocker) from TrueCrypt.
> http://truecrypt.sourceforge.net/
STOP
ain! NOT!
Mitigation(s):
~~
Deny execution in the "%USERPROFILE%" of every user plus
"%ALLUSERSPROFILE%" alias "%ProgramData%"
* via the inheritable NTFS ACE (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory and below for
everyo
nerable executable installers!
PWNED!
Mitigation(s):
~~
0. don't use executable installers. DUMP THEM, NOW!
1. see <http://home.arcor.de/skanthak/!execute.html> as well as
<http://home.arcor.de/skanthak/SAFER.html>.
2. stay away from Mozilla's vulnerable instal
web site and save them in your "Downloads" directory;
3. run the (un)installers downloaded in step 2 and notice the message
boxes displayed from the DLLs placed in step 1.
PWNED!
JFTR: since the (un)installers are 32-bit programs and (un)install
both the 32-bit and 64-bit versio
t; alias %ProgramData%" and "%PUBLIC%": Windows
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_file
"Michel Arboi" <michel.ar...@gmail.com> wrote:
> On 11 January 2016 at 15:37, Stefan Kanthak <stefan.kant...@nexgo.de> wrote:
>> Which but does not mean/imply that everybody abandons TrueCrypt.
>
> The project has been abruptly killed by the developers wit
Mitigation:
~~~
use SAFER alias Software Restriction Policies and deny execution
everywhere except %SystemRoot% and below and %ProgramFiles% and
below.
See <http://home.arcor.de/skanthak/SAFER.html> and/or
<http://mechbgon.com/srp/index.html> for ins
ork/topics/security/cpujan2016-2367955.html>
stay tuned
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
ution of the
DLLs therefore results in an escalation of privilege!
See <http://seclists.org/fulldisclosure/2015/Nov/101>
and <http://seclists.org/fulldisclosure/2015/Dec/86>
plus <http://seclists.org/fulldisclosure/2015/Dec/121>
for more details.
RARLabs publ
rary/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:
| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location is
~~
| constant.
regards
Stefan K
uot;: Windows
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_wh
tp://seclists.org/fulldisclosure/2015/Dec/33> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S err
"Securify B.V." wrote:
>
> Windows Mail Find People DLL side loading vulnerability
>
> Yorick Koster, September 2015
[...]
> - CVE-2016-0100
> -
t;http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
stay tuned
Stefan Kanthak
Timeline:
~
2015-12-24se
lp ntmarta ntshrui cscapi slc windowscodecs
apphelp mpr userenv schannel credssp secur32 gpapi samcli) Do
MkLink /H
"%TEMP%\{1C2DF59B-0172-4ECB-9A25-7597A4A26A96}\%%!.dll" "%~dpn0.dll"
--- EOF ---
4. run the batch script per double-click: it starts the downloaded
ns of this vulnerable
executable installer for Firefox and Firefox ESR.
See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
why you should NEVER name any executable (installer) setup.exe!
stay tuned
Stefan Kanthak
PS: Mozilla fixed the same vulnerabilities in their executable self-
to your own host with UNC paths to
any host reachable from your network where you placed some
malicious DLLs to get pwned instead.
5. Execute the downloaded installers.
PWNED!
6. Add the element from poc#5 to achieve remote code
execution with (user-assisted) escalation of privilege.
7. Execute the downloaded installers.
PWNED²!
stay tuned
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
[*]
ey load(ed) and execute(d) later with elevated privileges.
An unprivileged user can/could overwrite both files between creation
and execution and gain elevation of privilege.
See <https://cwe.mitre.org/data/definitions/379.html> for this type
of well-known and well-documented vulnerability!
s
brary/security/MS16-041> and
<https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html>
for a similar vulnerability.
stay tuned
Stefan Kanthak
Timeline:
~
2016-06-01sent vulnerability report to vendor plus US-CERT
sage boxes
displayed from the *.COM.
PWNED!
Mitigations:
* Don't use executable installers!
* Don't use crapware which runs executables from unsafe
directories like %TEMP%!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
<https://msdn.mic
ml> or
<http://home.arcor.de/skanthak/SAFER.html> alias
<https://skanthak.homepage.t-online.de/SAFER.html> for more
information.
* Stay FAR away from so-called "security" products!
See (for example)
<http://robert.ocallahan.org/2017/01/disable-your-antivirus-software
arcor.de/skanthak/verifier.html> alias
<https://skanthak.homepage.t-online.de/verifier.html>
JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
was referred in <http://seclists.org/bugtraq/2016/Jan/105>
In short: setup.exe lets Windows load some app-compat shims.
information.
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories&q
n.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks>
JFTR: Microsoft introduced "long" filenames more that 20 years ago.
Stay away from the crapware shipped with Fujitsu's scanners!
stay tuned
Stefan Kanthak
Timeline:
~
2017-01-28vulnerability report sent to vendor
sage boxes displayed from the DLLs and EXE placed in
"%TEMP%\RarSFX0\" by POC.CMD
PWNED!
Mitigations:
* Don't use executable installers! NEVER!
* Don't use crapware which runs executables from unsafe
directories like %TEMP%!
* Add an ACE "(D;OIIO;WP;;;WD)" to
rol\Session
Manager\KnownDLLs]
"Version"="Version.Dll"
* embed the following "application manifest" in your executables:
CAVEAT: the loadFrom attribute of the file element is not documented!
stay tuned
Stefan Kanthak
Timeline:
~
2016-09-0
84 860 dec Setup SelfUpdate handler update NOT
required: Current version: 7.6.7600.320, required version:
7.6.7600.320
See <http://home.arcor.de/skanthak/slipstream.html> for instructions
for a fix and some more information!
stay tuned
Stefan Kanthak
[°] since this happens during the
bit forwarder DLLs are loaded in the 64-bit
process and that their exports/forwards are processed properly!
Their DllMain() extry points are but NOT called (if they were
you'd see some message boxes)!
stay tuned
Stefan Kanthak
PS: the test whether 64-bit forwarder DLLs placed in %windir% are
ry" (which is writable for everyone) too.
And one more:
6. the OpenSSL libraries shipped are from version 1.0.2d and have
multiple vulnerabilities which have beed fixed in version 1.0.2j.
stay tuned
Stefan Kanthak
Timeline:
~
2016-08-29vulnerability report sent to vendor
during Windows
setup which use the same "%TEMP%" for unprivileged and privileged
processes!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of
ted during Windows
setup which use the same "%TEMP%" for unprivileged and privileged
processes!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny executi
OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
}
// the return value is only used for PROCESS_CREATION_QUERY,
// all other conditions are ignored
return ntStatus;
}
--- EOF ---
stay tuned
Stefan Kanthak
Timeline:
~
2017-03-10sent vulnerability report to vendor
2017-03-10reply from vendor: MSRC case 37727 opened
20
an
"Application Verifier Provider" which performs the missing checks.
stay tuned
Stefan Kanthak
[°] introduced with Windows XP some 16 years ago, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=20028>
as stand-alone package then, later distributed
.html>,
read it and get the prebuilt DLLs plus their .INF setup script,
packaged in a .CAB archive.
enjoy
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
the VERSIONINFO resource is 0x,
despite the english only strings
"This installation was built with Inno Setup." in "Comments",
"Inno Setup Setup" in "FileDescription" etc.
7. the timestamp in the PE header of innosetup-5.5.9.exe is
0x2A425E19, which
;This installation was built with Inno Setup." in
"Comments", "PuTTY Setup" in "FileDescription" and "Release 0.68"
in "FileVersion".
7. the timestamp in the PE header of putty-0.68-installer.exe is
0x2A425E19, which is "
" in the NTFS file system:
allow execution only below %SystemRoot% and %ProgramFiles% and
deny it everywhere else.
See <http://mechbgon.com/srp/index.html> or
<http://home.arcor.de/skanthak/SAFER.html> alias
<https://skanthak.homepage.t-online.de/SAFER.html> f
processes-with-uac-on-windows-vista-sp1/
>
<https://blogs.msdn.microsoft.com/cjacks/2008/07/22/per-user-com-registrations-and-elevated-processes-with-uac-on-windows-vista-sp1-
part-2-ole-automation/>
Mitigations:
~~~~
* dump .NET Framework and all applications that use it!
* dump UAC!
*
ing
"deny execution of files in this directory and all subdirectories"
to the NTFS ACL of every %TEMP% directory!
JFTR: when execution in %TEMP% is denied, the defective
installer display a dialog box with the blatant lie
"QSync is running.
Click [OK] to
ecurity/2269637> and
<https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
* also see <https://skanthak.homepage.t-online.de/verifier.html>
and <https://skanthak.homepage.t-online.de/!execute.html>
stay tuned
Stefan Kanthak
Timeline:
~
2017-05-1
/sentinel.html>,
then download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it in an arbitrary directory;
2. save the following batch script in the same directory:
--- IIF.CMD ---
:WAIT
@If Not Exist "%TEMP%\IIF.tmp&quo
port Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.
Mitigations:
* Don't build executable installers, they are almost always vulnerable!
Create native installation packages
F specification:
| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.
Mitigations:
~~~~
* Don't build executable installers, they are almost always vulnerable!
Create native inst
uses the same insecure procedure
~
Once installed, Kaspersky Privacy Cleaner checks for updates just
like CleanerSetup.exe via insecure channel, downloads them via
insecure channel, performs no integrity checks, ...
stay tuned
Ste
this guide, available for example from
<http://www.ii.uib.no/~osvik/amd_opt/22007k.pdf> or
<https://en.wikichip.org/w/images/5/5f/AMD_Athlon_Processor_x86_Code_Optimization_Guide.pdf>,
show this bug only in the _llrem routine!
stay tuned
Stefan Kanthak
___
(via <http://www.office.com/backup>)
from <https://go.microsoft.com/fwlink/p/?LinkID=403713>
3. notice the message boxes displayed from the DLLs saved in
%TEMP%!
stay tuned
Stefan Kanthak
PS: be sure to read
<https://portal.msrc.microsoft.com/en-US/security-guidance/a
ERROR_SXS_CANT_GEN_ACTCTX
Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any
other valid XML encoding except UTF-8 yields the same result.
stay tuned
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
dword:0001
"BlockNetFramework461"=dword:0001
"BlockNetFramework462"=dword:0001
"BlockNetFramework47"=dword:0001
"BlockNetFramework471"=dword:0001
--- EOF ---
To block earlier versions, see the MSKB articles
<https://support.microsoft.com/
logs.technet.microsoft.com/srd/2014/05/13/load-library-safely/>
... which their own developers and their QA but seem to ignore!
See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440>
for the same vulnerability in another Microsoft product!
stay tuned
Stefan Kanthak
Timeline:
1 - 100 of 145 matches
Mail list logo