Full Disclosure mailing list archives
Re: Security Bug in MSVC
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Tue, 17 Jan 2006 23:34:16 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think ms wont fixe any bug in vstudio, I have told them if they will fix the vs2005 issue published recently and they said me exactly what is on your support page: "Only open project files that come from trusted sources." or "Only open WMF files that come from trusted sources." would have been less effort than releasing a patch then lol :D Morning Wood wrote:
------------------------------------------------------------ - EXPL-A-2006-002 exploitlabs.com Advisory 048 - ------------------------------------------------------------ - MSVC 6.0 run file bug - AFFECTED PRODUCTS ================= Microsoft Visual Studio 6.0 http://microsoft.com Possibly other products referenced in: http://support.microsoft.com/kb/841189 OVERVIEW ======== Source code project distributions are very popular these days. Generally authors offer code as a project with source, headers, and msvc project files if it is a fairly big project. Most users will simply open up the project.dsw file, ( especialy if it says to do so in a readme.txt or other compiler instructions ) which in turn loads the project.dsp files, which provides the compiler directives. A malicious attacker could embed commands to be executed in the project files, and execute any local code of his choosing. note: this is an implemented feature in MSVC, and should be considered a bug, not a vulnerability. IMPACT ====== The impact of this is quite severe, as it is possible to script commands such as to launch ftp, retrieve and execute a file from a remote location. DETAILS ======= By modifying the .dsp files: project settings custom build Commands: command to execute Post-build Step: command to execute 1.a ==== InputPath=.\Release\hello.exe SOURCE="$(InputPath)" "hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" calc 1.b ==== PostBuild_Cmds=notepad.exe POC ==== http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip extract, and open hello.dsw click "batch build, build" or "rebuild all" code will execute ( calc.exe and notepad.exe used as an example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands SOLUTION ======== vendor contact: secure () microsoft com Sept 20, 2005 http://support.microsoft.com/kb/841189 updated Jan 6, 2006 Microsoft provided these URL's as well: http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx SUGGESTED PATCH =============== Include a dialog box that warns the user, before pre and post build directives can be launched, if the presence of execute directives exist in the build project files. CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ81w6K+LRXunxpxfAQKhqw/+PP3xy1cT5WmiEcFQ2QuU4eoFRbgw9ZnA iFDvGqpZXblQuosDIx3jripRKDeshhJc00GbeMT3I9Fw1XrRbVPFETLV7IpitmPQ jhOKo3pRxDp+mxpFOZpc9mDEhLb873j9un309Ahor29hLgnZ5b5O9J6YuWaFXkZN FS9tBvVbypb5rqIPe5GpZzNO88tfqwC/xk9JG3qgpuAtgLM/hh7Dp8fpptKdylTA LfK5OrH5HZ44uJmXxNbDfr8/XJk2Mv9SLC2UitT6DMk/02XfDAR7r2Dj1MnC6Toc SV3Vv9w9tRHkc1/iKV7/cZyrd8fEi8ZJhgn8DgAeLM3OYTW1I+BpOnAiR58F9+KO Zqj2QrY92sJTpXSIq2jswslMguAjkZF5jtmXYjzYSPx8w5xfNkjbLRHZ5vX6iZJC yJXH7nod6OHyCdyLlQIdOsECEorj/bZ5OAlKlgOZrD79cOLCxkOKgrMaxmHIm/Jf 3t/elL4gVS/fvasSsn2Xdm44lzXCbxo/yDfK2wdIb/1tav5Ls9IHs/nO5t1uC5Pc zx9YfGRjQeU7fTdnR9In7hVMzj36tgmmaiH7d1zPZU/7iFEczVxbtyVznN3uYrgB 1dLgRRA7LXtzzLpLKLIqsaf7cx9OiUpR4ajgWufPW6c8rOYq+uM3OJ1iHRzo1fD+ m929rPMgoP4= =wrHF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security Bug in MSVC Morning Wood (Jan 17)
- Re: Security Bug in MSVC ad () heapoverflow com (Jan 17)
- Re: Security Bug in MSVC Stan Bubrouski (Jan 17)
- Re: Security Bug in MSVC Jason Coombs (Jan 17)
- Re: Security Bug in MSVC Dave Korn (Jan 18)
- Re: Re: Security Bug in MSVC Jason Coombs (Jan 18)
- Re: Re: Security Bug in MSVC bkfsec (Jan 18)
- Re: Re: Security Bug in MSVC Dave Korn (Jan 19)
- Re: Security Bug in MSVC Dave Korn (Jan 18)
- Re: Security Bug in MSVC ad () heapoverflow com (Jan 17)
- Re: Security Bug in MSVC Joachim Schipper (Jan 18)
- Re: Security Bug in MSVC Morning Wood (Jan 18)
- Re: Security Bug in MSVC Pavel Kankovsky (Jan 19)
- Re: Security Bug in MSVC redsand (Jan 19)