Re: DLL hijacking with Autorun on a USB drive

[Charles Morris <cmorris () cs odu edu>]

On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky <dan () doxpara com> wrote:
> On Aug 31, 2010, at 2:20 PM, Charles Morris <cmorris () cs odu edu> wrote:
>
> > On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan () doxpara com> wrote:
> >
> > > Again, the clicker can't differentiate word (the document) from word (the
> > > executable).  The clicker also can't differentiate word (the document)
> > > from
> > > word (the code equivalent script).
> > >
> > > The security model people keep presuming exists, doesn't.
> > >
> > > Even the situation whereby a dll is dropped into a directory of documents
> > > --
> > > the closest to a real exploit path there is -- all those docs can be
> > > repacked into executables.
> >
> > What?
> >
> > I can differentiate my coolProposal.doc from msword.exe just fine..
>
> Uh huh. Here, let me go ahead and create 2010 Quarterly Numbers.ppt.exe with
> a changed icon, and see what you notice.

Mr. Szabo has already slapped your wrist for such undeserved arrogance.

And yeah, I find it a joke that you think that ".ppt.exe" isn't pretty
damn obvious.

I might have fell for that when I was 9, but I haven't had a problem
with a windows box in years.

I will admit, at 3AM when I've been working for 18 hours and awake for
36, it is possible that I may double-click
such a malicious file and then immediately think "OH shit" and rebuild.

I know what we can do, we can repackage the "Hey watch out for badguys
masquerading as innocent files"
that everybody already knows about, contact CERT and negotiate a fix
between major vendors (Hey this isn't just a MS vulnerability
right??), then give a talk at blackhat to establish our fame, but now
that I think about it.. that would be rude to the people who have been
complaining about this since 1999.

> > If your statement is that the windows defaults should be changed,
> > including the "hide extensions" default, then I wholeheartedly agree
> > as I detailed in my first post. It's the first thing I turn off.
> >
> > Many people who think the same way have considered that a
> > vulnerability in windows for years, I wouldn't consider it part of
> > the "DLL Hijacking" fiasco.
>
> Imagine if the browser lock meant arbitrary code could run.
>
> I find your faith in small collections of pixels hilarious.

Imagine if the keyboard LED meant arbitrary code could run!!

What? I don't even understand what you are getting at. This has
nothing to do with faith in icons.

My statement was that windows defaults arguably represent a
vulnerability in the GUI
by making "proposal.doc" indistinguishable from "proposal.doc.exe with
a crafted icon",
when you are encouraged to double-click the icons through the GUI, and
when "doc" files
are supposed to be innocent to open. I was also stating the fact that
this vulnerability
should be addressed outside of the scope of the "DLL Hijacking" mess.

Cheers,
Charles

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/