Full Disclosure mailing list archives
Re: DLL hijacking with Autorun on a USB drive
From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 31 Aug 2010 23:38:38 +0200
Adding to Charles' this dll hijacking is even less than a non-issue considering that the user has opened the "bad" file in the first place. I don't see it a matter of changing the cwd, but rather the user shouldn't be running stuff which he doesn't know about. It's the same analogy Charles mentioned all over again. Dan: "The security model people keep presuming exists, doesn't." Dan, there was no security model, and no one assumed there was. Running dubious files, from anywhere, is always a security risk. This is more of an anti-virus fix than changing CWD: the anti-virus/ips/whatever knows that the dll-to-be-loaded is from an external source, and it should wail out a warning. I fully acknowledge a message telling me I'm about to run an executable I've just downloaded, but simply refusing to run it properly isn't something I, (or normal users, for the matter) would want. Finally, this "Application X is vulnerable to dll hijcak" needs to stop, right now. This whole darn thing is stupid...most if not all applications set the CWD to the target path for several reasons. Microsoft Office suite, for instance, keep backup (archives, caches and whatnot) files in the same folder the main file resides. Switching between directories is surely not an option. On Tue, Aug 31, 2010 at 11:20 PM, Charles Morris <cmorris () cs odu edu> wrote:
On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan () doxpara com> wrote:Again, the clicker can't differentiate word (the document) from word (the executable). The clicker also can't differentiate word (the document) from word (the code equivalent script). The security model people keep presuming exists, doesn't. Even the situation whereby a dll is dropped into a directory of documents -- the closest to a real exploit path there is -- all those docs can be repacked into executables.What? I can differentiate my coolProposal.doc from msword.exe just fine.. If your statement is that the windows defaults should be changed, including the "hide extensions" default, then I wholeheartedly agree as I detailed in my first post. It's the first thing I turn off. Many people who think the same way have considered that a vulnerability in windows for years, I wouldn't consider it part of the "DLL Hijacking" fiasco. Cheers, Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DLL hijacking with Autorun on a USB drive, (continued)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive matt (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Mario Vilas (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)