Security Basics mailing list archives

Re: How to....

From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 28 Sep 2005 10:18:18 +0100

On Tue, 2005-09-27 at 11:32 +1000, Greg wrote:

....really shoot your XP machine in the foot, so to speak.

Pick any program shortcut that is pinned to your start menu. If you don't 
have any, find any old program shortcut (or make one) then pin it to your 
start menu. Now go find some other shortcut to a completely different 
program and open it's properties. Copy the full path info from that one and 
past it into the path info in the properties for that other shortcut that is 
pinned to the start menu and click OK to make it stick. Now carefully look 
at that icon. It hasn't changed. Now click on it. The icon now starts that 
other program instead of the one it looks like it is SUPPOSED to start.

Now while all that is simple "so what?" to most of you, think of this - I 
deal in a lot of low level security stuff that is below the radar of a lot 
of you but if an icon that is frequently used in the list of commonly used 
programs or those pinned to the start menu can be so easily changed to start 
some other program yet not look like it was tampered with at all, why 
couldn't the next Trojan include code to do this? Eg, place a Trojan on the 
C drive, copy the full path info into the "Windows Update" icon on your 
start menu (for example) where it runs that Trojan instead. That Trojan may 
do what it is designed to do and also do the actual starting of Windows 
Update after that.


When malware has this sort of access the game is already over, whatever
the user can do the malware can do, or are you advocating that the user
not be allowed to choose the icons on their shortcuts?

What stops a local user or a Trojan doing this in a normal XP installation 
that hasn't been changed and all runs at admin levels as so many businesses 
do?


Nothing, it is there start menu. However they can't modify anything that
affects the start menu of other users because they by default don't have
permissions (NTFS) to do so.

No privilege escalation is happening here, the user is just modifying
their own environment.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description:

Current thread:

How to.... Greg (Sep 27)
- Re: How to.... Micheal Espinola Jr (Sep 28)
- Re: How to.... Ansgar -59cobalt- Wiechers (Sep 28)
- Re: How to.... Larry Offley (Sep 28)
- Re: How to.... Jacob Bresciani (Sep 28)
  - Re: How to.... Greg (Sep 28)
- Re: How to.... Barrie Dempster (Sep 28)
- <Possible follow-ups>
- RE: How to.... Clarkson, Dustin (Sep 28)
  - Re: How to.... Greg (Sep 28)
    - Re: How to.... Ansgar -59cobalt- Wiechers (Sep 30)
- RE: How to.... Smith, Jeff (Sep 28)
- RE: How to.... Craig Wright (Sep 28)