Full Disclosure mailing list archives
Re: Nmap NOT VULNERABLE to Windows DLL HijackingVulnerability
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 13 Sep 2010 22:52:18 +0200
<paul.szabo () sydney edu au> wrote:
Fyodor <fyodor () insecure org> wrote:nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability.Nmap is not vulnerable. DLL hijacking works because of an unfortunate interaction between apps which register Windows file extensions and the default Windows DLL search path used for those apps. Nmap does not, and never has, registered any Windows file extensions. So it isn't vulnerable to this issue.
I beg to differ: nmap is of course vulnerable, it may load airpcap.dll from CWD due to the well-known deficiency in Windows' LoadLibrary(). The question but is: how (easy) can this be exploited.
The "easy demo" is with clicks, which needs registration of extensions.
... and to lure the unsuspecting user.
The "real thing" is a DLL in the current directory. Unless you always use "cd path/to/nmap; ./nmap" to start, you are vulnerable: most people would set their %PATH% to include the right thing for easy nmap.
Are you kidding? The normal Windows user will almost never use the command line, for most of them "cd path/to/nmap; ./nmap" is just gibberish (yes, some users will use Explorer and perform the GUI equivalent of these commands.-) The same holds for setting/changing the PATH. The right thing^W^WWindows way for "easy nmap" is: * for a GUI/mouse user: create/use a shortcut (*.LNK) in the start menu or on the desktop during installation. When an application is started from this shortcut, CWD will be set to the path specified as "Run in:" in the *.LNK, if given there. If but omitted/left blank, CWD will be set to the directory which was CWD when the shell was started. * for a CLI/keyboard user: create the registry entry [HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\application.exe] @=expand:"%ProgramFiles%\<vendor>\<product>\application.exe" during installation. This allows a "start application" in the command interpreter, as well as Start->Run "application" [Enter] in the shell/on the desktop. Additionally you can add a registry entry "Path"="...[;...]" which gets prepended before %PATH% when "application.exe" is started, in every way described above! It's the task of the developer/packager of "application.exe" to create the correct shortcut and to create the right registry entries for his "application.exe" to prevent havoc! BTW: MSFT got bitten by the search path a LOOONG time ago: see <http://support.microsoft.com/kb/269049/en-us> alias <http://www.microsoft.com/technet/security/bulletin/MS00-052.mspx> Fortunately, it was MSFT too who advised their customers to open this hole: see <http://support.microsoft.com/kb/249321/en-us> MSFT but could have done it right in the first place with: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon] "UserInit"=expand:"%SystemRoot%\\SYSTEM32\\USERINIT.EXE" This works with NT4 and Windows 2000. In later versions, some braindead developer but removed the expansion of environment variables there. Stefan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability. Nikhil Mittal (Sep 06)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability Fyodor (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability paul . szabo (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability jf (Sep 09)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability paul . szabo (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability Rohit Patnaik (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability jf (Sep 09)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability paul . szabo (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability Pavel Kankovsky (Sep 18)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability Thor (Hammer of God) (Sep 18)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability paul . szabo (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability Fyodor (Sep 08)
- Re: Nmap NOT VULNERABLE to Windows DLL HijackingVulnerability Stefan Kanthak (Sep 14)