Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Defense in depth -- the Microsoft way (part 9): erroneous documentation

From: adam <adam () papsy net>
Date: Sat, 31 Aug 2013 11:20:47 -0500
I'm on the same page as Pascal, what is the point of this? The part
that really stands out for me is how Microsoft is being singled out
here. If it's about their documentation, then it's not really about a
vulnerability. If it's NOT about their documentation, then you'd be
hard pressed to find a platform that _doesn't_ work this way.

On Sat, Aug 31, 2013 at 8:37 AM,  <hardfalcon () hardfalcon net> wrote:

I am truly shocked that seemingly, stuff like this needs to be said in
the year of 2013. I'd have supposed that things like these should be
known by *anyone* doing anything even remotely similar to software
development *at least* since the end of the 8.3 filename era 15 years
ago. Are you sure this is real and not a prank? o_O

regards
Pascal Ernster


On 31.08.2013 12:58, Stefan Kanthak wrote:

Hi,

in <http://seclists.org/fulldisclosure/2013/Aug/75> I documented
beginners errors (unquoted pathnames containing spaces) not only
in Microsoft products.

Microsofts developer documentation but shows these beginners errors
too (and is inconsistent, even in single topics).

Examples:

<http://msdn.microsoft.com/library/cc144171.aspx>

| HKEY_CLASSES_ROOT
|   txtile
...
|               Shell
...
|                  cmd2
...
|                     command
|                        (Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1
                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~

<http://msdn.microsoft.com/library/bb165967.aspx>

| [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
| @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \"%1\""
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
| @="\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\" \"%1\""


<http://msdn.microsoft.com/library/cc144083.aspx>

| HKEY_LOCAL_MACHINE
|   SOFTWARE
|      Classes
|         contoso-search
|            shell
|               open
|                  command
|                     (Default) = "%ProgramFiles%\Contoso\Search\contososearch.exe %1"
                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~

<http://msdn.microsoft.com/library/cc144154.aspx>

| HKEY_LOCAL_MACHINE
|   SOFTWARE
|      Classes
|         LitwarePlayer11.AssocFile....
...
|            shell
|               open
|                  command
|                     (Default) = %ProgramFiles%\Litware\litware.exe
                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<http://msdn.microsoft.com/library/hh127450.aspx>

| HKEY_CLASSES_ROOT
|   CLSID
|      {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
|         Shell
|            Open
|               Command
|                  (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings
                                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


<http://msdn.microsoft.com/library/cc144188.aspx>

| <sh:task id="{3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}">
|    <!-- This is a generated GUID, specific to this task link -->
|    <sh:name>@myTextResources.dll,-100</sh:name>
|    <sh:keywords>@myTextResources.dll,-101</sh:keywords>
|    <sh:command>%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe</sh:command>
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| </sh:task>


Example with ambiguous/inconsistent use of quotes:

<http://msdn.microsoft.com/en-us/library/aa767914.aspx>

| HKEY_CLASSES_ROOT
|   alert
|      (Default) = "URL:Alert Protocol"
                   ^                  ^
|      URL Protocol = ""
                      ^^
|      DefaultIcon
|         (Default) = "alert.exe,1"
                      ^           ^
|      shell
|         open
|            command
|               (Default) = "C:\Program Files\Alert\alert.exe" "%1"


Counterexamples:

<http://msdn.microsoft.com/library/cc144175.aspx>
<http://msdn.microsoft.com/library/cc144101.aspx>

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.


<http://msdn.microsoft.com/library/dd203067.aspx>
<http://msdn.microsoft.com/library/cc144109.aspx>


regards
Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: