Full Disclosure mailing list archives
Re: Downloads Folder: A Binary Planting Minefield
From: Grandma Eubanks <tborland1 () gmail com>
Date: Mon, 20 Feb 2012 16:50:46 -0600
Malware has been using it to spread through local shares and also using it as easy privilege escalations for known trusted software. Like I said and have always said, the vectors are going to be local and for further compromise. On Mon, Feb 20, 2012 at 4:22 PM, Sanguinarious Rose < SanguineRose () occultusterra com> wrote:
On Mon, Feb 20, 2012 at 2:28 PM, Jeffrey Walton <noloader () gmail com> wrote:Hi Mitja, On Fri, Feb 17, 2012 at 11:32 AM, ACROS Security Lists <lists () acros si>wrote:This blog post reveals a bit of our research and provides an advancenotification ofa largely unknown remote exploit technique on Windows. Moreimportantly, it providesinstructions for protecting your computers from this technique whilewaiting for theaffected software to correct its behavior.http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html$ Look for the presence of any *.dll files in the Downloads $ folder and do the same as in the previous step. $ Delete all files from the Downloads folder. I don't believe a PE/PE+ executable needs a DLL extension to be loaded by LoadLibrary and friends.They do not need a specific extension for LoadLibrary() to work. This is more having to do with dll search paths which has been a known exploit vector for a long while now. I do know Win7 fixes this by just not checking the local directories when it loads a .exe, I am unsure if Vista does the same, and I am positive WinXP checks local directories first since I've done so under WinXP. They might have something interesting with the msiexec.exe with it checking the local directory first. I would call this a programming issue by the installer not specifying a full path and no validations. If a dev was really concerned when they called LoadLibrary() they could just use SetDllDirectory(), GetDllDirectory(), and friends to manipulate where they look for dlls. Since I responded to something in this subject, I would like to share my personal opinion this doesn't really seem like a major exploit vector. It appears to fall to usual do and do not of basic security. Obviously downloading files from a suspect website is a security risk.Perhaps a scanning/cleansing tool would be helpful. Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Downloads Folder: A Binary Planting Minefield ACROS Security Lists (Feb 17)
- Re: Downloads Folder: A Binary Planting Minefield Kyle Creyts (Feb 19)
- Re: Downloads Folder: A Binary Planting Minefield Jeffrey Walton (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Jeffrey Walton (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Sanguinarious Rose (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Grandma Eubanks (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield ACROS Security Lists (Feb 22)
- Re: Downloads Folder: A Binary Planting Minefield Nate Theis (Feb 22)
- Re: Downloads Folder: A Binary Planting Minefield Sanguinarious Rose (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Kurt Dillard (Feb 21)
- Re: Downloads Folder: A Binary Planting Minefield Kyle Creyts (Feb 19)