Re: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution)

["http-equiv () excite com" <1 () malware com>]

<!--  

> Being able to store arbitrary content in a predictable file 
> location is  a vulnerability category of its own

An interesting category, for sure.  I think this point deserves 
discussion.  Is the use of  predictable file locations really a 
vulnerability?

 -->

If it isn't it should be. I'll give you four that have been put 
on the back-burner for later realization (make a note that this 
will be fair warning to the vendor):

1. wecerr.txt still remains a named file in a known location 
with arbitrary content, that the vendor simply refuses (more 
than likely cannot be bothered)to fix.  This is going to hit 
them square in the nuts if not now, then in the very near 
future. And I'll make sure it is zero-day'd. This combo is now 
both 1 and bordering on 2 years old:

<body onload=malware() style="behavior: url
(#default#httpFolder);">
 <script>
function malware(){
document.body.navigate("http://www.microsoft.com";);alert
("malware");location=("shell:profile\Local 
Settings\Temp\wecerr.txt")
}
 </script>

2. Outlook Express deposits an embedded sound file in an html 
email in the temp upon opening. We are able to access the temp 
via link: shell:profile\Local Settings\Temp\foo.mid. That 
embedded sound file need not be proper. That is it can be an 
html file renamed .mid or .wav and it will still be delivered to 
the temp. At the moment it is not named but history shows us, 
with a bit of effort and luck, even that can be remedied.

3. Outlook proper and Outlook Express. When you send a webpage 
via email, it creates an exact copy of that page in the temp, 
file extensioned .html along with the name. Again you can access 
it directly via the above but to invoke or cause it 
automatically remains under examination.

4. The Outlook Express 'bug' again over 12 months old ~ file 
being the Windows Address Book remains in place and is still 
created every time you touch the address book with a few 
predictable locations: ~ file on desktop or in C: etc.  For 
identity theft which appears to be the latest concern, this is 
it. Accessing it via remote is quite easy for the reasons 
already described.

The vendor in all cases, just cannot be bothered to fix any of 
these things. Simply does not care. It seems that the new mantra 
is "none of our customer's are affected by it" so let's not fix 
it.

WATCH OUT !

All these will culminate in yet another STENCH ! exploit sooner 
or later.

That is a true predicatable path.


End Call


-- 
http://www.malware.com