Re: DLL hijacking with Autorun on a USB drive

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Dan Kaminsky wrote:

> On Tue, Sep 14, 2010 at 6:07 PM, Stefan Kanthak <stefan.kanthak () nexgo de> wrote:
> > Dan Kaminsky wrote:

> > > Short version: Go see how many DLLs exist outside of c:\windows\system32.
> > > Look, ye mighty, and despair when you realize all those apps would be broken
> > > by CWD DLL blocking.
> >
> > No, that's the too much shortened version.
> > The correct version but is: Go see how many DLLs exist outside of the DLL
> > search path.
> > CWD DLL blocking does NOT break all those apps!
> > Apps which install their DLLs into their own application directory won't
> > notice CWD blocking at all.
>
> > And apps which break can be easily fixed:
> >
> > [HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\application.exe]
> > "Path"=...
> >
> > exists for more than 15 years now.

> An automatic patch that breaks random apps will not be an automatic
> patch -- and neither will the twenty patches after it.

There is no "automatic" patch.
KB2264107 just enables an Administrator to (finally) exempt CWD from the
DLL search path.

> Nobody cares that the breakage "can be fixed" with some fifteen year old key.

The Administrator who blocks DLL loading from CWD but cares!

BTW: Windows developers and administrators should know their platform.

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/