Full Disclosure mailing list archives

Re: DLL hijacking with Autorun on a USB drive

From: Dan Kaminsky <dan () doxpara com>
Date: Fri, 27 Aug 2010 10:13:21 -0400

On Fri, Aug 27, 2010 at 9:10 AM, <Valdis.Kletnieks () vt edu> wrote:

On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said:

Why wouldn't eliminating the CWD from the DLL search order fix the

problem?

I asked Microsoft about this (

http://blogs.pcmag.com/securitywatch/2010/08/list_of_dll_vulnerability_wind.php
)

and they said the obvious answer, that it would break too many customer
installations. And I guess it would break a bunch of them, but there

really

isn't a good reason for anyone to load a DLL from the CWD, is there?


The mentality that "Our program only works with version 1.14 of the DLL so
we'll ship a copy of it in the directory" is too entrenched.  That's why
you'll
see a box that has 4 or 5 different copies of the Java RTE on it.  Of
course,
on a *sane* system you'd use a variable like LD_LIBRARY_PATH to say where
to
find the libraries (and maybe apply some W^X exclusion to path components).
But there's just too many 3rd party packages that would have to be updated
to
make it palatable.


As opposed to other platforms that, what, don't have 3rd party packages?  :)


Remember - Microsoft doesn't have any real committment to deliver a truly
secure system to you. It has a committment to deliver just enough security
and other features so it can deliver dollars to its shareholders.  We all
*know*
what it would take to secure it - and it won't happen because the resulting
paradidm shits will torpedo sales.


Oh, come on.  MS puts more effort into delivering a secure platform than
pretty much anyone at this point.  They're just not the low hanging fruit
they once were.

The difference between attack and defense is that we know when attack
doesn't work.  Unrolling this one characteristic pretty much yields security
as it stands today.  It's why attack research is so important -- it's our
only source of ground truth!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: DLL hijacking with Autorun on a USB drive, (continued)
- - - Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 26)
    - Re: DLL hijacking with Autorun on a USB drive Larry Seltzer (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Michal (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Larry Seltzer (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 27)
    - Re: DLL hijacking with Autorun on a USB drive Larry Seltzer (Aug 27)

(Thread continues...)