Full Disclosure mailing list archives
Re: DLL hijacking with Autorun on a USB drive
From: Dan Kaminsky <dan () doxpara com>
Date: Tue, 31 Aug 2010 14:15:19 -0700
On Aug 31, 2010, at 2:01 PM, Charles Morris <cmorris () cs odu edu> wrote:
... Don't run applications from untrusted locations ...You got it wrong. Only trusted applications are run. - The attacker prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The victim clicks on the WORD.DOC file, using his own installed MSWord.Aaah, well if that is the issue, it seems to me that the vulnerability here is that the application in question (MSWord) has it's CWD set to the directory of the file that it is opening through the explorer shell. It should chdir() to it's own parent directory before doing anything interesting that depends on CWD. (i.e. loading DLLs or executing "./ amazingApp.sh") It's general good programming practice to be mindful of your CWD, I know that personally; a call to chdir() is almost always at the top of my script. So, I take back what I said about it being a non-issue, it IS in fact a vulnerability in the application.
Again, the clicker can't differentiate word (the document) from word (the executable). The clicker also can't differentiate word (the document) from word (the code equivalent script). The security model people keep presuming exists, doesn't. Even the situation whereby a dll is dropped into a directory of documents -- the closest to a real exploit path there is -- all those docs can be repacked into executables.
Cheers, Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DLL hijacking with Autorun on a USB drive, (continued)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive matt (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Mario Vilas (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)