Re: DLL hijacking with Autorun on a USB drive

[Christian Sciberras <uuf6429 () gmail com>]

Are you seriously suggesting that just because errors in implementation happen
(such as malformed gifs leading to bugger overflows, etc), that it's OK to have
a totally broken security model that doesn't even *try* to get it right?



No I'm suggesting to fix those implementation errors not focus on damn
crippling the OS!!

When I plug in a USB, I expect to run whatever I want from it, be it
"dll hijack exploits" or not.
At most, there might be a system policy for not running *any* file
from removable drives, and of course there's the usual antivirus/ips.
But that's a damn system policy not software lockdown.
Why the hell should I, as a developer, end up fixing this shit just
because some "security experts" think they discovered the next
generation of exploits from running programs out of USB drives
(network shares or what the fk there is out there).

Perhaps you haven't noticed, Windows sees dlls as files, not as system
libraries, unlike unix (linux/bsd/whatever). Whereas I could cripple a
linux install just by removing certain non-system libraries, you can't
do this in Windows, thanks to "dll hell".
Call it like that all you want, but I've found it convenient. If you
guys can't understand a damn thing out of some crappy unix standard,
it most certainly ain't my fault.

Rant aside, I'll iterate my same central point, *this is not a
vulnerability*. I won't consider it as such, ever.




On Wed, Sep 1, 2010 at 1:43 AM,  <Valdis.Kletnieks () vt edu> wrote:
> On Wed, 01 Sep 2010 00:59:06 +0200, Christian Sciberras said:
> > > (and yes, "interpreted data" like shell scripts and Java .class files and Flash
> > > are the sort of neither-fish-nor-fowl that give security models headaches, so
> > > don't bother flaming about that. ;)
> > OK. Also add exploits in non-executable data as well (such as a certain gif...).
> >
> > What was your point again?
>
> Are you seriously suggesting that just because errors in implementation happen
> (such as malformed gifs leading to bugger overflows, etc), that it's OK to have
> a totally broken security model that doesn't even *try* to get it right?
>
> "Since you *might* be able to find a hole using user-supplied data, we'll just
> assumed that you *did* find one, and we'll make it easy for you and just allow
> you to provide your exploit code as totally untrusted files from an untrusted source".
>
> Hmm.. where have I heard that before? Oh yes...
>
> Mr Prosser (who was arguing with a spokesman for the bulldozer drivers about
> whether or not Arthur Dent constituted a mental health hazard, and how much
> they should get paid if he did) looked around. He was surprised and slightly
> alarmed to find that Arthur had company.
>
> "Yes? Hello?" he called. "Has Mr Dent come to his senses yet?"
>
> "Can we for the moment," called Ford, "assume that he hasn't?"
>
> "Well?" sighed Mr Prosser.
>
> "And can we also assume," said Ford, "that he's going to be staying here all day?"
>
> "So?"
>
> "So all your men are going to be standing around all day doing nothing?"
>
> "Could be, could be ..."
>
> "Well, if you're resigned to doing that anyway, you don't actually need
> him to lie here all the time do you?"
>
> "What?"
>
> "You don't," said Ford patiently, "actually need him here."
>
> Mr Prosser thought about this.
>
> "Well no, not as such...", he said, "not exactly need..." Prosser was
> worried. He thought that one of them wasn't making a lot of sense.
>
> Ford said, "So if you would just like to take it as read that he's
> actually here, then he and I could slip off down to the pub for half an
> hour. How does that sound?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/