Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)

From: jf <jf () ownco net>
Date: Wed, 8 Sep 2010 21:32:30 -0500
I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
with latest windows updates applied (as of Today -sept 09 2010).

Could be a virus/trojan from my XP machine might have caused some form
of immunity against this issue?
And perhaps my extensive meddling and customization somehow modify the
Windows 7 install beyond normal limits?
I very much doubt this. I used both bitness demos for what it's worth.



I can confirm the demo worked as expected; first shot on an up-to-date auto-patched win7 box.
That said, I did a quick search to see if I had a local copy of wab32res.dll (dunno what the dll in the subject line is 
about, the DLL in question is wab32res.dll), and I did not. I wrote a quick DLL with a simple MessageBoxA() into the 
Windows directory and tested it again and got a pop up informing me I am about to import an address book (versus their 
lolhacked popup). If I had to take a stab at it, judging by this comment:


One last thing, rather than just running a random POC I've actually
looked into what's going on, via Process Monitor, and as far as it's
concerned, it always loaded the correct (ie, the original) dlls.


my guess would be that one of you has a copy of the DLL in the DLL search path (which *doesnt* include . until the 
second to last stage by default), and one of you does not. 

..De asini vmbra disceptare.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: