Re: [FD] Executable installers are vulnerable^WEVIL (case 15): F-SecureOnlineScanner.exe allows arbitrary (remote) code execution and escalation of privilege

"Shawn McMahon" <sybergh...@gmail.com> wrote: > On Wed, Dec 23, 2015 at 7:13 AM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> Hi @ll, >> >> F-Secure's online virus scanner F-SecureOnlineScanner.exe, available >> via <https://www

[FD] Executable installers are vulnerable^WEVIL (case 15): F-SecureOnlineScanner.exe allows arbitrary (remote) code execution and escalation of privilege

ed a security advisory <https://www.f-secure.com/en/web/labs_global/fsc-2015-4> and made an updated version of their online scanner available on <https://www.f-secure.com/en/web/home_global/online-scanner> CAVEAT: F-Secure's fix works only on Windows Vista and newer versions; th

[FD] Executable installers are vulnerable^WEVIL (case 13): ESET NOD32 antivirus installer allows remote code execution with escalation of privilege

lt;http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.google.de/books?isbn=1437914926>

[FD] Executable uninstallers are vulnerable^WEVIL (case 12): Avira Registry Cleaner allows arbitrary code execution with escalation of privilege

ownloads" directory; 4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll and/or RichEd20.dll placed in step 1. stay tuned Stefan Kanthak Timeline: ~ 2015-11-15vulnerability report sent to vendor 2015-11-16vendor acknowledges receipt 2015-11-17vend

[FD] Executable installers are vulnerable^WEVIL (case 11): Nmap <7.01 and Nmap-WinPcap <4.13

disclosure/2015/Nov/101> titled Mitigations for "carpet bombing" alias "directory poisoning" attacks against executable installers. Nmap-7.01 and WinPcap-Nmap-4.13 have been released and fix these vulnerabilities. stay tuned Stefan Kanthak ___

[FD] Executable installers are vulnerable^WEVIL (case 10): McAfee Security Scan Plus, WebAdvisor and CloudAV (Beta)

bilities see Intel's Security Bulletin published today: <https://service.mcafee.com/FAQDocument.aspx?lc=1033=TS102462> stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege

directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.

[FD] Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup

home.arcor.de/skanthak/safer.html> and/or <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.google.de/books?isbn=1437914926> and finally

[FD] Executable installers are vulnerable^WEVIL (case 9): Chrome's setup.exe allows arbitrary code execution and escalation of privilege

ot;: Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

[FD] Defense in depth -- the Microsoft way (part 36): CWE-428 or fun with unquoted paths

xe" name | "c:\program files\sub dir\program name.exe" Neither the 4 other possibilities: "C:\Program" files\sub dir\program name "C:\Program files\sub" dir\program name "C:\Program files\sub dir\program" name &quo

[FD] Mozilla extensions: a security nightmare (part 2)

extracting installers which unpack their payload to %TEMP%; but these are flawed per concept too! If you need to support such crap, consider to remove the USER environment variables %TEMP% and %TMP% of the administrator account. The administrat

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

"Shawn McMahon" sybergh...@gmail.com wrote: > On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> >> That's why giving unsuspecting users *.EXE to install a software package >> or to unpack an archive and thus train

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

Lee "cant afford a surname" wrote: > Haifei Li, changing the default behavior to open a window asking the > user where to save the file would change nothing. A "normal user" > would just click the "save" button to save the file in the default > folder. I also don't think

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

"Gynvael Coldwind" wrote: > Correct me if I'm wrong, but the vulnerability can be summarized as: if you > run an untrusted .exe you might execute malicious code? Amen! > I hardly see this as giving anything new to the attacker who can just > create a malicious exe file,

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

"Haifei Li" wrote: > This is a copied version of my blog post, original version > http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html. > Probably it's commonly known that when you try to download > something on your modern browser e.g.

[FD] Defense in depth -- the Microsoft way (part 35): Windows Explorer ignores "Run as administrator" ...

snt work at all in standard user accounts when UAC is set to "never elevate". This is another clear violation of Microsofts own UX guidelines! stay tuned Stefan Kanthak PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds this and several other mis

[FD] Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

ator account that allows you to set up | your computer and install any programs that you'd like to use. Once | you finish setting up your computer, we recommend that you create a | standard account and use it for your everyday computing. If you create | new user accounts, you should also ma

[FD] Defense in depth -- the Microsoft way (part 34): our developers and our QA still ignore our own security recommendations

ations with Windows 10: see <http://home.arcor.de/skanthak/download/W10_PATH.INF> for the about 2000 registry entries with unqualified pathnames found in the image of the professional edition in the \sources\install.wim stay tuned Stefan Kanthak [*] see <http://home.arcor.de/skanthak/downlo

[FD] Vulnerable MSVC++ runtime distributed with LibreOffice 5.0.0 for Windows

://seclists.org/fulldisclosure/2009/Sep/0 JFTR: Windows Vista and later include NEWER versions of these DLLs, there is absolutely no need to redistribute an ancient version in your product at all (especially after Windows XP and 2003 have reached end-of-life)! stay tuned Stefan Kanthak

[FD] Mozilla extensions: a security nightmare

and) Thunderbird and subject to the restrictions imposed by these programs for non-XUL/chrome Javascript. Mitigation(s): ~~ Disable profile local installation of extensions in Mozilla products, enable ONLY application global installation of extensions. stay tuned Stefan Kanthak

[FD] iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

software! Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 30): on exploitable Win32 functions

when notified over and over again! Defense in depth? Nope! Software engineering? Nope! BRAINDEAD behaviour of Windows CreateProcess*() functions? Yes, of course, always! Taking care for the safety and security of their customers systems? Nope! stay tuned (and far away from crapware!) Stefan

[FD] Defense in depth -- the Microsoft way (part 29): contradicting, ambiguous, incomplete documentation

. the pathname of the found executable gets quoted if it contains a space. The documentation of the function GetCommandLine() https://msdn.microsoft.com/en-us/library/ms683156.aspx but misses this completely! Stay tuned! regards Stefan Kanthak ['] as soon as a name contains a single

[FD] iTunes 12.1.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

[*] without dissecting its *.MSI files. Until Apple's developers, their QA and their managers start to develop a sense for their customers safety and security and due diligence: stay away from Apple's (Windows) software! stay tuned Stefan Kanthak [*] https://cwe.mitre.org/data/definitions/428.html

[FD] [ANN] MSKB 3004375 available for Windows 2000 and later too (but NOT from Mcirosoft)

Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

Re: [FD] iTunes 12.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

/Oracle Java 6.x and thus installed on many user systems is a good trampoline for attacks. There is ABSOLUTELY no justification for Apple or any other developer to ship VULNERABLE components at all! regards Stefan Kanthak On Sat, Jan 31, 2015 at 10:11 AM, Stefan Kanthak

[FD] Defense in depth -- the Microsoft way (part 27): the command line you get differs from the command line I use to call you

dir\program.exe name c:\program files\sub dir\program name.exe JFTR: without this transformation splitting of the command line into the argv vector would give wrong results ... in presense of CreateProcess*() braindead behaviour! Stay tuned! regards Stefan Kanthak PS

[FD] Defense in depth -- the Microsoft way (part 24): applications built with SDKs may be vulnerable

://support.microsoft.com/kb/2500212, https://support.microsoft.com/kb/2565057 and https://support.microsoft.com/kb/2565063), which updates the MSVCRT (including header files etc.) to version 10.0.40219.325. regards Stefan Kanthak ___ Sent

[FD] Defense in depth -- the Microsoft way (part 23): two quotes or not to quote...

AppInit_DLLs are only supported on Windows NT (see https://support.microsoft.com/kb/134655) a braindead developer choose not to use a REG_MULTI_SZ value (avoiding the need to interpret spaces as separator and thus supporting long filenames). have fun Stefan Kanthak

[FD] Defense in depth -- the Microsoft way (part 21): errors/inconsistencies in Windows registry data may lead to buffer overflows or use of random data

in Windows 8.1) to dump offline registry hives and to detect errors and inconsistencies in key names, value names and value data. regards Stefan Kanthak ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure

[FD] Defense in depth -- the Microsoft way (part 20): Microsoft Update may fail to offer current security updates

^Wadministrator BEWARE! regards Stefan Kanthak JFTR: unfortunately there dont exist registry entries like those for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11 to generally block the offering/installation of Silverlight or Microsoft Security Essentials per Windows Update

[FD] Beginners error: Google update runs rogue programs %USERPROFILE%\Local.exe, %USERPROFILE%\Local Settings\Application.exe, %SystemDrive%\Documents.exe, %SystemDrive%\Program.exe, ...

Google Chrome 39. regards Stefan Kanthak PS: To catch all instances of this beginners error download http://home.arcor.de/skanthak/download/SENTINEL.CMD, http://home.arcor.de/skanthak/download/SENTINEL.DLL, http://home.arcor.de/skanthak/download/SENTINEL.EXE and http

[FD] iTunes 12.0.1 for Windows: still COMPLETELY outdated and VULNERABLE 3rd party libraries

to develop a sense for safety and security: stay away from their (Windows) software! regards Stefan Kanthak Timeline: ~ 2014-06-06informed vendor 2014-06-06vendor sent automated response ... no more reaction 2014-07-03requested status ... no answer

[FD] Defense in depth -- the Microsoft way (part 19): still no perfect forward secrecy per default in Windows 8/7/Vista/Server 2012/Server 2008 [R2]

://www.howsmyssl.com/, https://www.ssllabs.com/ssltest/viewMyClient.html or https://cc.dcsec.uni-hannover.de/ with Internet Explorer 8 and later after the reboot. have fun Stefan Kanthak JFTR: IPsec is able to use perfect forward secrecy for MANY years, see http://support.microsoft.com/kb/252735

[FD] Beginners error: Windows Live Mail 2011 runs rogue C:\Program.exe when opening associated URLs

and upgrade to Windows Live Mail 2012 ASAP! regards Stefan Kanthak PS: the associations for .eml and .nws DONT show this beginners error: WindowsLiveMail.Email.1=C:\Program Files (x86)\Windows Live\Mail\wlmail.exe /eml:%1 WindowsLiveMail.News.1=C:\Program Files (x86)\Windows Live\Mail

[FD] Beginners error: Apple's Software Update runs rogue program C:\Program.exe (and some more)

, Protected Administrator should be considered the equivalent | of Administrator. regards Stefan Kanthak ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

[FD] Beginners error: Apple's iCloudServices for Windows run rogue program C:\Program.exe (and some more)

4.6.1.0 regards Stefan Kanthak PS: the obvious and trivial fix: edit the 2 erroneous command lines and add the missing quotes. But dont forget to fix them after every update of Apple's crap for Windows. ___ Sent through the Full Disclosure mailing

[FD] Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files

them properly. If you detect such silly beginners errors: report them and get them fixed. If the vendor does not fix them: trash the trash! regards Stefan Kanthak PS: for static detection of these silly beginners errors download and run http://home.arcor.de/skanthak/download/SLOPPY.CMD

Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account

not sure why did you bring UAC into the discussion - did I miss something? or was it just an argument you've heard before and wanted to reply to it preventively?) Cheers! regards Stefan On Fri, Jul 25, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Gynvael Coldwind wrote

[FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account

| the executable path in lpCommandLine, as shown in the example below. Long filenames were introduced 20 years ago, but M$FTs developers still can't handle them properly, and their QA is unable to detect such silly and trivial to spot bugs! regards Stefan Kanthak PS: yes, it needs

[FD] Defense in depth -- the Microsoft way (part 17): even a one-line script is vulnerable

which evaluate PATH, i.e. CreateProcess(), ShellExecute(), CMD.EXE, ... MUST be specified with their fully qualified pathname. regards Stefan Kanthak Timeline: ~ 2014-01-23informed vendor 2014-01-23vendor opens MSRC case 16790 ... no more reaction from vendor 2014

[FD] Beginners error: Synaptics touchpad driver delivered via Windows Update executes rogue program C:\Program.exe with system privileges during installation

security response team the vulnerable driver was pulled from Windows Update. Unfortunately (or should I write: of course) the drivers offered on Synaptics web site have this silly bug too! regards Stefan Kanthak PS: the following lines of the SYNPD.INF show the same silly bug: | HKLM,Software

Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

and http://seclists.org/fulldisclosure/2013/May/37 for just the tip of the iceberg). navigare^Wsoftware engineering necesse est! regards Stefan Kanthak ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web

[FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

rights every user owning such an account can create the rogue program, resulting in a privilege escalation. JFTR: no, the user account control is not a security boundary! regards Stefan Kanthak PS: for static detection of these silly beginners errors download and run http://home.arcor.de

[FD] Buggy insecure security software executes rogue binary during installation and uninstallation

\ Au_.exe in turn called Windows' CreateProcess() function with the (you guess it) UNQUOTED command line C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver which again led to execution of C:\Program.exe regards Stefan Kanthak ___ Sent

<    1   2