Re: Zenmap GUI DLL Hijacking (zenmap.exe)

[Fyodor <fyodor () insecure org>]

On Sat, Sep 18, 2010 at 05:51:41PM +0700, public mail wrote:
> hi there..
>
> i found ur zenmap GUI is vulnerable with dll hijacking exploit.
> it can be exploited via intl.dll

Hi NoGe.  Thanks for the report, although we've already discussed the
way Zenmap loads intl.dll on this list (see
http://seclists.org/nmap-dev/2010/q3/index.html).  We don't consider
this a Zenmap vulnerability because users would have to try pretty
hard to exploit themselves.  But it is still worth noting the issue.
Microsoft has intentionally included the "current directory" in their
DLL search path, so many applications behave this way if you manage to
open them such that the "current directory" contains malicious DLLs.
With Zenmap (and other software), I recommend opening the application
first by clicking on its desktop icon or start menu entry.  Then you
can open scans from the "Scan -> Open Scan" menu item or Ctrl-O.

I do think that Microsoft's inclusion of the current directory in
their DLL search path is a bad design decision.  If we find an easy
way to disable this behavior for Zenmap, I think we should do so.  It
is a bit complex since Nmap is a Python program which we convert into
an executable using py2exe.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/