On Fri, Sep 10, 2010 at 11:46 AM, Nikhil Mittal <nikhil_uitr...@yahoo.co.in> wrote: > > >>Here's my definition > > >>Exploitable vulnerability = vulnerabilityn't t > >>Non-exploitable "vulnerability" = mental masturbation > > Nice definition. I would like to add one more line for my definition > > Inability to recognize a straight forward vulnerability = mentally handicap
OK, lets go over this again. Nikhil, Simple DLL Hijacking is quite possibly the least straightforward potentially exploitable condition *of all time*. We may look back on this characteristic as the thing that finally proved the legitimacy of Cross Site Scripting attacks -- compared to Simple DLL Hijacking, XSS is practically a stack smash. Simple DLL Hijacking's problem is as follows: a) The presumed preconditions for an attack are extensive and expensive b) An attacker who met those preconditions, would not be stopped by the proposed defenses Regarding a, we're seeing lots of PDF 0-day floating around. Why? Because it's pretty cheap to get somebody to parse a PDF: <iframe src='foo.pdf'> and you're done. Getting someone to go through all the steps with SDH? Too complicated. That being said, there are scenarios. Matt @ AttackVector probably found the best one right now -- a worm drops DLLs into a shared document folder, and anyone who opens the docs gets hit. And of course, multiple people have figured out that SDH causes problems for Autorun defenses, because a document read (not copied) directly off a thumbdrive will presently launch code. Even if you grant these are legitimate vectors, these are vectors bouncing off Office's presumed type safety -- not WinImageView 3.4.8's. And they're not even close to straightforward. The core problem though is that Explorer itself doesn't strongly enforce type safety. I can't emphasize enough, you just don't have enough context when you double click an item in a browser, that it's not actually an .exe. People keep pretending you do have this context, and it's simply untrue. Look at it this way: If it was as easy to execute arbitrary code from a web page, as it was from a Explorer Shell Window to \\attacker.com\foo, we'd be up in arms. So essentially, what you find is that the very concept of browsing remote shares and USB sticks you don't trust, is unsafe. This creates the astonishing situation where Sharepoint becomes a security technology! You might notice that I keep referring to all this as Simple DLL Hijacking. It's likely that DLL Hijacking will actually be a critical component of a genuine attack vector. It's just not, yet. The journey of a thousand miles has been declared complete with a single step. So we're on the cusp of some huge portion of advisories coming from the security community being little more than "random Windows app runs DLLs from CWD". Frankly, I think we can find better bugs. I think we'd better. Just like bad money drives out good money, bad bugs drive out good bugs. The credibility of advisories, and even the usefulness of FD, is somewhat at risk. --Dan P.S. Maybe there should be a new list -- full-disclosure-sdh -- for this discussion? I can't be the only one wondering how enormous this thread has to get. Yeah, yeah, I know. I'm dreaming. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/