Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DLL hijacking with Autorun on a USB drive

From: Charles Morris <cmorris () cs odu edu>
Date: Wed, 1 Sep 2010 08:29:44 -0400
On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky <dan () doxpara com> wrote:





On Aug 31, 2010, at 2:20 PM, Charles Morris <cmorris () cs odu edu> wrote:


On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan () doxpara com> wrote:



Again, the clicker can't differentiate word (the document) from word (the
executable).  The clicker also can't differentiate word (the document)
from
word (the code equivalent script).

The security model people keep presuming exists, doesn't.

Even the situation whereby a dll is dropped into a directory of documents
--
the closest to a real exploit path there is -- all those docs can be
repacked into executables.



What?

I can differentiate my coolProposal.doc from msword.exe just fine..



Uh huh. Here, let me go ahead and create 2010 Quarterly Numbers.ppt.exe with
a changed icon, and see what you notice.



Mr. Szabo has already slapped your wrist for such undeserved arrogance.

And yeah, I find it a joke that you think that ".ppt.exe" isn't pretty
damn obvious.

I might have fell for that when I was 9, but I haven't had a problem
with a windows box in years.

I will admit, at 3AM when I've been working for 18 hours and awake for
36, it is possible that I may double-click
such a malicious file and then immediately think "OH shit" and rebuild.

I know what we can do, we can repackage the "Hey watch out for badguys
masquerading as innocent files"
that everybody already knows about, contact CERT and negotiate a fix
between major vendors (Hey this isn't just a MS vulnerability
right??), then give a talk at blackhat to establish our fame, but now
that I think about it.. that would be rude to the people who have been
complaining about this since 1999.




If your statement is that the windows defaults should be changed,
including the "hide extensions" default, then I wholeheartedly agree
as I detailed in my first post. It's the first thing I turn off.

Many people who think the same way have considered that a
vulnerability in windows for years, I wouldn't consider it part of
the "DLL Hijacking" fiasco.


Imagine if the browser lock meant arbitrary code could run.

I find your faith in small collections of pixels hilarious.



Imagine if the keyboard LED meant arbitrary code could run!!

What? I don't even understand what you are getting at. This has
nothing to do with faith in icons.

My statement was that windows defaults arguably represent a
vulnerability in the GUI
by making "proposal.doc" indistinguishable from "proposal.doc.exe with
a crafted icon",
when you are encouraged to double-click the icons through the GUI, and
when "doc" files
are supposed to be innocent to open. I was also stating the fact that
this vulnerability
should be addressed outside of the scope of the "DLL Hijacking" mess.

Cheers,
Charles

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: