Full Disclosure mailing list archives
Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Fri, 25 Jul 2014 14:50:19 +0200
Gynvael Coldwind wrote:
Well it was discussed a couple of times recently on FD that this is a bug, but it's not a privilege escalation. If you are admin (and you did mention that it's a prerequisite) you can execute code as other users anyway - so there's no *escalation* here. Therefore it's not a security bug (unless you are using a super old version of Windows with incorrect ACLs on c:\, which sounds like a bug in itself), just a "normal" bug. Not sure if FD is the right place for non-security bugs tbh.
If these bugs were no security bugs: why does Microsoft then publish fixes for (at least some of) them via MSRC bulletins and Windows Update? See <https://technet.microsoft.com/library/security/ms13-058.aspx> or <https://technet.microsoft.com/library/security/ms13-034.aspx> Or pulls drivers whose setup routines show these bugs from Windows Update? See <http://seclists.org/fulldisclosure/2014/May/40> Also try to see these bugs as a blended threat: * during Windows setup Microsoft still creates all user accounts as administrators. * Microsoft sells its unsuspecting users UAC as a security feature, but does NOT inform them (or at least does not inform Joe Average) that UAC is not a security boundary and they should better use a restricted^Wstandard user account instead of the administrator account created during setup. * Joe Average will happily give consent to any program which presents an UAC prompt to him: he wants to get his work done, and this UAC prompt is just an annoyance. BTW: when Windows asks him for consent, this must be right? regards Stefan
Cheers, On 25 Jul 2014 00:46, "Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:Brandon Perry wrote:So, I am very curious how you are finding these? Have you automated thisoris it manual hand work?All my Windows installations have <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and <http://home.arcor.de/skanthak/download/SENTINEL.DLL> preinstalled as C:\Program.exe and C:\Program.dll, so I'm notified when some poorly written program tries to execute them. The sentinels call MessageBox() with "MB_SERVICE_NOTIFICATION", so the messages are recorded in the event log too where I can find them later. I also preinstall an APPINIT.DLL <https://support.microsoft.com/kb/197571> which logs all command lines of programs linked to USER32.DLL to a file: filtering for "C:\Program " at column 1 lists all the culprits. My third source is a SAFER.Log < https://technet.microsoft.com/cc786941.aspx> where every execution attempt is logged, including the executables caller: filtering this for "\program.exe" or "\program.dll" lists all the culprits. So basically I just have to sit and wait... In case one of my customers was hit, and this did not happen during an installation, I have to interrogate them what they did... and hope they can remember with sufficient detail. But almost all hits occur during installations or the customization following an installation (here it was the import of existing mails into a new account), so these are not so difficult to reproduce. regards Stefan PS: of course it helps if 8.3 names are disabled and "C:\Program Files\" can't be aliased as C:\Progra~1\ To achieve this just run FORMAT C: /FS:NTFS /S:Disable in Windows PE before you start the installation of Windows 7 and later. For Windows NT5.x you'll have to use \i386\MIGRATE.INFOn Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak <stefan.kanthak () nexgo de wrote:Hi @ll, the import function of Windows Mail executes a rogue programC:\Program.exewith the credentials of another account, resulting in a privilege escalation![...] _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Stefan Kanthak (Jul 24)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Brandon Perry (Jul 24)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Stefan Kanthak (Jul 24)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Gynvael Coldwind (Jul 26)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Stefan Kanthak (Jul 26)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Gynvael Coldwind (Jul 26)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Stefan Kanthak (Jul 26)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Stefan Kanthak (Jul 24)
- Re: Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account Brandon Perry (Jul 24)