Re: KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)

[Christian Sciberras <uuf6429 () gmail com>]

> Bwt, you can simply turn our Internet-based test into an intranet or local test by
> copying the files to your local share or a folder on your computer and double-click
> the .wab file from there. The usual caution with runnning code from unknown sources
> applies, of course.

I did better, I wrote my own test, which just like your test, it
failed proving the vulnerability.
The only difference was that I knew what was going wrong and tried to
get it to work in all ways possible;
it only seemed to work when the right possible wasn't anywhere near
the running executable (or system directories).

Unless the whole point of the vulnerability was to exploit non-existent dlls??

> Can you please send the Process Monitor log for this case? We'll be happy to look
> into your case.

Sure, fine by me.


Regards,
Chris.



On Thu, Sep 9, 2010 at 12:32 PM, Mitja Kolsek
<mitja.kolsek () acrossecurity com> wrote:
> Hi Chris,
>
> > Considering Acros highlighted how their POC was highly
> > unstable (they've frequently advised to try the program
> > several times to get it to work) I don't see such abnormal
> > behaviour out of this world.
>
> Indeed, we're seeing problems with accessing (any) remote WebDAV shares from various
> Windows computers, while it works just great on others. Based on network monitoring,
> it doesn't seem to be the problem with the server though, but rather with occasionaly
> unreliable support for WebDAV folders in Windows. We're looking for possible causes
> and especially for workarounds that could improve the reliability.
>
> We'll appreciate your feedback - tell us how it worked or didn't work for you. It's a
> chance for us all to learn something new.
>
> Bwt, you can simply turn our Internet-based test into an intranet or local test by
> copying the files to your local share or a folder on your computer and double-click
> the .wab file from there. The usual caution with runnning code from unknown sources
> applies, of course.
>
> > One last thing, rather than just running a random POC I've
> > actually looked into what's going on, via Process Monitor,
> > and as far as it's concerned, it always loaded the correct
> > (ie, the original) dlls.
>
> Can you please send the Process Monitor log for this case? We'll be happy to look
> into your case.
>
> Cheers,
>
> Mitja Kolsek
> CEO&CTO
>
> ACROS, d.o.o.
> Makedonska ulica 113
> SI - 2000 Maribor, Slovenia
> tel: +386 2 3000 280
> fax: +386 2 3000 282
> web: http://www.acrossecurity.com
>
> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/