Full Disclosure mailing list archives
Re: Insecure call to CreateProcess()/CreateProcessAsUser()
From: "Andres Tarasco" <atarasco () gmail com>
Date: Sun, 21 May 2006 17:48:44 +0200
That's a well known issue and is documented at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp Andres tarasco 2006/5/21, Charles Morris <cmorris () cs odu edu>:
Microsoft Explorer (iexplore.exe) calls CreateProcess() with lpApplicationName = NULL. Instead, the lpCommandLine variable is used. Unfortunateally, if the lpCommandLine variable is not quoted properly, the function will attempt to load&execute multiple other applications in the following fashion: lpCommandLine = C:\Program Files\Google\Google Talk\googletalk.exe Will attempt to execute: C:\Program.exe C:\Program Files\Google\Google.exe C:\Program Files\Google\Google Talk\googletalk.exe If Microsoft Hyperterminal is set up to be your default telnet client, this behavior is known to be triggered from the web with a telnet:// style link. Microsoft was notified, they told me it was a "non issue", that they coulden't reproduce it, and basically "dont worry about it". or something. Unfortunateally although explorer.exe warns a user when the file "C:\Program.exe" exists, it does not check any other paths, therefore it is not nearly a sufficient workaround. -- Charles Morris cmorris () cs odu edu Network Administrator CS Systems Group Old Dominion University http://15037760514/~cmorris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Loco de aTar
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Andres Tarasco (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Andres Tarasco (May 21)
- Re[2]: Insecure call to CreateProcess()/CreateProcessAsUser() Thierry Zoller (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Andres Tarasco (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Paul Szabo (May 21)