Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

[root <root_ () fibertel com ar>]

I agree, in some remote scenario this may work, but doesn't justify an
advisory.

Off-topic:

First Insect PRO, and now this?
What's happening fellow Latin-americans? our standards are falling.
Please behave, this is the Internet!





On 09/05/2011 07:33 AM, Mario Vilas wrote:
> Paul,
>
> Those file extensions correspond to scripts. If a file contains a script
> that runs when the file is double clicked, and the scripting engine is not
> sandboxed (meaning the script can do the same things an executable file can
> do) then the attack is meaningless. You can simply have the script inside
> the file do malicious things instead of planting a DLL.
>
> Binary planting, regardless of the discussion about it being a
> "vulnerability" or not, in any case only makes sense when the file only
> contains static data, or when the file contains executable code that would
> normally not have the same privileges as a standard executable file. (A
> script that doesn't get executed when double clicking on it -for example if
> a text editor is opened instead- would be the same case as in a data file).
>
> I've never used .js or .jse scripts on Windows, but all the other extensions
> are patently not sandboxed scripts. In fact, the Windows Script Host
> software is mostly used to write system maintenance scripts, so it's obvious
> its scripts can't be restricted or they'd be useless. I'm guessing the same
> applies to .js and .jse then, and of course I wouldn't mind seeing proof
> that it doesn't. However the links you provided don't really prove anything
> (the first one even says "this is not a complete list", and I admit I've
> only glanced the second one but it seems unrelated, as it applies to file
> transfers on Microsoft Sharepoint).
>
> Planting a DLL file to be executed at the same time as other executable file
> is just a convoluted way of doing the same thing. It *may* be used in some
> strange, artificial situations, but I'm not convinced there aren't better
> ways to do it, and in any case it doesn't justify an advisory. And judging
> from what the timeline reads, I believe Microsoft simply ignored this one.
>
> I hope my explanation helped :)
> -Mario
>
> On Mon, Sep 5, 2011 at 12:54 AM, <paul.szabo () sydney edu au> wrote:
>
> > > Application: wscript.exe
> > > Extensions: js, jse, vbe, vbs, wsf, wsh
> > > Library: wshesn.dll
> >
> > Many people commented that the above extensions are "executable"
> > already, so are (should be) treated with caution, or that they
> > can be trojaned directly without any DLL load shenanigans.
> >
> > However... looking at
> > http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
> >
> > http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
> > I do not see JS listed as executable, though JSE is listed.
> >
> > Looking at
> > http://msdn.microsoft.com/en-us/library/ms722429.aspx
> > I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
> > machine, none of the above extensions are "designated".
> >
> > Maybe DLL hijacking is useful for some of these file types, after all?
> >
> > Cheers, Paul
> >
> > Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
> > School of Mathematics and Statistics   University of Sydney    Australia
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/