Full Disclosure mailing list archives
Re: [Code-Crunchers] windows vulnerability? [was: Re: 137 bytes]
From: Gadi Evron <ge () linuxbox org>
Date: Wed, 8 Nov 2006 10:38:12 -0600 (CST)
On Wed, 8 Nov 2006, Gadi Evron wrote:
On Wed, 8 Nov 2006, Thomas Pollet wrote:Windows handles UNC paths the same way as local paths. Another mechanism used to load a remote dll using a UNC path is described in http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf here the "system" directory is overwritten with a (unc) directory owned by by the attacker. When GetSystemDirectoryW() is called to load the faultrep.dll on exception, an attacker can supply his backdoored faultrep.dll. I don't think you should classify this as a vulnerability, it's known windows behaviour (yet, windows, a vulnerability all by itself?).Two issues: 1. The loading of the library... I've just had a very long discussion with someone who understands this far better than me. I am wrong (on that part), it's not a "vulnerability" but it's damn close, and can be used to fascilitate quite a bit. I see it as an issue, most people don't. It is a bummer for desktop firewalls though, no? :) http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf ^^ indeed 2. Issue that got to mind, making a leap from the first one... The point I was trying to make is very different, and speaks of what can potentially be done with this if this was code execution. Using the PE as a vector to attack the PE loader with (potential!) code execution for privilage esclation. Using the PE itself as a vector of attack. Much like you would use a doc file to exploit something in Word.. only not. :)
Okay, strike that. According to a friend who checked, it runs in usermode,
except for some core issues. Then it's kernel, and you need to be admin to
do it. Which is also pointless and it's hacking to be in ring0 when you
already are there.
Another friends says it will look pretty. :)
Gadi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: windows vulnerability? [was: Re: [Code-Crunchers] 137 bytes] Gadi Evron (Nov 08)
- Re: [Code-Crunchers] windows vulnerability? [was: Re: 137 bytes] Gadi Evron (Nov 08)
- Re: [Code-Crunchers] windows vulnerability? [was: Re: 137 bytes] Peter Ferrie (Nov 08)
- Re: [Code-Crunchers] windows vulnerability? [was: Re: 137 bytes] Gadi Evron (Nov 08)