Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability

From: paul.szabo () sydney edu au
Date: Thu, 9 Sep 2010 11:29:17 +1000
jf <jf () ownco net> wrote:


... my understanding of the issue was not the default library search
path, but rather that people are using SearchPath() or similar to locate
DLLs which they then pass to LoadLibrary() ...


And, people loading DLLs they do not need, for OS version detection.
(Maybe others?)


... I can't see anyone opening a URL with nmap itself ...


An "exploit scenario" for nmap: send a ZIP (or somesuch) archive to
the victim, containing a data file and a "hidden" DLL, with message:
  Hey, these seem infected with conficker, check with nmap
and the victim using "nmap -iL datafile" from current dir.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: