Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission

From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 16 Sep 2011 05:27:13 -0400
On Thu, Sep 15, 2011 at 7:11 PM, Michael Schmidt <mschmidt () drugstore com> wrote:

Someone’s just not reading the bulletins – Note the term “Remote” –
including webdav, so a share that could be fully controlled by the
exploiter. At least that is what I am understanding.



Updates released on September 13, 2011

Microsoft Security Bulletin MS11-071, "Vulnerability in Windows Components
Could Allow Remote Code Execution," provides support for vulnerable
components of Microsoft Windows that are affected by the Insecure Library
Loading class of vulnerabilities described in this advisory.

Microsoft Security Bulletin MS11-073, "Vulnerabilities in Microsoft Office
Could Allow Remote Code Execution," provides support for vulnerable
components of Microsoft Office that are affected by the Insecure Library
Loading class of vulnerabilities described in this advisory.


In addition, this looks like it could be ripe for abuse (if it is true):
   Even more interesting is the fact that you can specify a
   UNC path in the import section of the PE file. If we specify
   \\66.93.68.6\z as the name of the imported DLL, the Windows
   loader will try to download the DLL file from our web server.

See http://www.phreedom.org/solar/code/tinype/.


From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of adam
Sent: Thursday, September 15, 2011 3:27 PM
To: security () acrossecurity com
Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission




I'm afraid you don't fully understand the issue. This is not about placing
your own
DLL on a local machine so that a chosen application will load it (i.e.,
user
"attacking" an application on his own computer).




I'm not sure you understood the point. That being, whether the user
knowingly or unknowingly loads the "malicious" DLL - the application will be
effected the same either way. To that point: it's been possible for over a
decade (and perhaps even longer) so pretending that it's some brand new
threat that needs to be dealt with immediately is foolish.




possibly on a remote share - and executing its code (i.e., attacker with
zero
privileges on user's computer executing code on that computer).




Zero privileges? So having write access to a share that the user
accesses/loads files from - what do you call that? This is a social
engineering attack - absolutely nothing more.



On a related note: have you also contacted Linus about LD_PRELOAD?



On Thu, Sep 15, 2011 at 5:05 PM, ACROS Security Lists <lists () acros si>
wrote:

Hi Adam,

I'm afraid you don't fully understand the issue. This is not about placing
your own
DLL on a local machine so that a chosen application will load it (i.e., user
"attacking" an application on his own computer). It is about an application
running
on your computer silently grabbing a malicious DLL from attacker-controlled
location
- possibly on a remote share - and executing its code (i.e., attacker with
zero
privileges on user's computer executing code on that computer).

I hope this helps a little.

Cheers,
Mitja



-----Original Message-----
From: iarethebest () gmail com [mailto:iarethebest () gmail com] On
Behalf Of adam
Sent: Thursday, September 15, 2011 11:26 PM
To: Thor (Hammer of God)
Cc: security () acrossecurity com; Christian Sciberras;



full-disclosure () lists grok org uk; bugtraq () securityfocus com



Subject: Re: [Full-disclosure] Microsoft's Binary Planting



Clean-Up Mission

Plus: pretending that you're on the same page as Microsoft
(from a security standpoint) to further your own argument is
more damaging than it is beneficial. The entire "binary
planting" concept was flawed from the very beginning. If you
can drop a binary file on a user's machine - make it an
executable and be done with it. There's nothing fancy or
innovative about forcing applications to use specific DLLs -
script kiddies have been doing it for over 10 years to inject
custom code in multiplayer games.

On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God)
<thor () hammerofgod com> wrote:


      I'm curious.  Who is your contact at MSFT?  Who is it
that has told you they have a "Binary Planting Clean-up
Mission" and where do they mention you as having anything to
do with it?

      If you are going to claim MSFT's actions as substantive
to your agenda, how about provide some details?

      t

      > -----Original Message-----
      > From: ACROS Security Lists [mailto:lists () acros si]
      > Sent: Thursday, September 15, 2011 1:41 PM
      > To: 'Christian Sciberras'
      > Cc: Thor (Hammer of God); full-disclosure () lists grok org uk;
      > bugtraq () securityfocus com

      > Subject: RE: [Full-disclosure] Microsoft's Binary
Planting Clean-Up Mission
      >

      > Hey Chris,
      >
      > > I bet Microsoft actually like stating they just
fixed yet another
      > > severe bug.
      > > Zero-day fixing is big business, you know....even if "zero"
      > > is past a few "days".
      >
      > I don't think Microsoft gains much from being able to
say they fixed yet
      > another bug
      > - maybe if it were a bug they found internally and
fixed proactively, but not
      > like this. And I'm sure they'd rather be doing
something else than fixing:
      > fixing a product costs a lot, and it generates no revenue.
      >
      > Cheers,
      > Mitja

      _______________________________________________
      Full-Disclosure - We believe in it.
      Charter: http://lists.grok.org.uk/full-disclosure-charter.html
      Hosted and sponsored by Secunia - http://secunia.com/








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: