News - Microsoft acknowledges DLL vulnerability

[HEXUS]

Many common programs aren't following security advisory and may be at risk

Read more.

[TheAnimus]

Erm, Guys.

Am I missing something here?

Newsflash, non-cryptographically signed binaries can be replaced.

Surely the only way to do this is to change either the path environment variable or file system access. From the MSDN

Code:

The directory from which the application loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.

So the folder which contains the application, if an attacker has access to that, your screwed.
The system folder, generally considered a good idea to not have write perms there.
16 bit system folder, same rule.
windows directory, spotting a pattern?
current directory YES VECTOR FOR ATTACK.
PATH environment vector again. However.....

Both those require code to be running as the local user, UAC and protected mode in IE will alleviate this a bit.

My point is, if your already able to run code as a local user that can frig environment variables and write to the current folder of another application, which requires those two methods for finding binaries, then you've already lost complete control of your system.

More-over there is no escalation exploit mentioned?

Sorry to say, as much as I love to tell others to write their code better (whilst writing lazyly myself) this is a non story.

[TheAnimus]

after a quick check with mate who is more knowledgeable, it seems like this is very similar to the one a year ago which introduced: BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE which effectively stops the searching of the current directory.

I think the idea was that a user could be tricked into saving something into C:\Documents\WilliamFitzgerald
then when running an app which required environment variable PATH lookup (argh!!!!!) it would inject.

But that is very unlikely surely?

[g8ina]

Crikey, he's good isnt he

(not sarcasm, I am genuinely inmpressed!)

[TheAnimus]

Yup, but the proud boy won't come work for me, even when I offer a big ass pay rise! He just likes the security research too much.

But this is a very different beast to the itunes issue, that was just sheer retardedness, it would look for a helper binary on a foreign location, load it as a current user in security unrestricted, and execute it.

This is more a throwback to 1992, rather than something anyone should be really using. 1-4 should be enough, and if your using 5, you should be damn well aware of it warts and all. If 6, well I hope you have a damn good reason.

[Flash477]

I find it ironic that most of the applications mentioned are Microsoft ones

[watercooled]

0100001101110101011100100110100101101111011101010111001101101001011101000111100100100000011010110110 1001011011000110110001100101011001000010000001110100011010000110010100100000011000110110000101110100 001000000011101000101001

You spelt curiosity wrong. And yes, I was bored.

I thought Windows would have something in place to deny access to SMB shares not on the LAN by default? I don't know like it just seems like the common sense thing to do.

[Flash477]

You spelt curiosity wrong. And yes, I was bored.

Yeah, I know - just too lazy to change it