3
From: Stefan Kanthak
Sent: ?Monday?, ?July? ?28?, ?2014 ?10?:?43
To: Michael Cramer, Gynvael Coldwind
Cc: fulldisclosure, Brandon Perry, bugtraq@securityfocus.com
Michael Cramer mike.cra...@outlook.com wrote:
sudo make-me-a-sandwich.py
How is this different from
not sure why did you bring UAC into the discussion - did I miss
something? or was it just an argument you've heard before and wanted
to reply to it preventively?)
Cheers!
regards
Stefan
On Fri, Jul 25, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Gynvael Coldwind wrote
| the executable path in lpCommandLine, as shown in the example below.
Long filenames were introduced 20 years ago, but M$FTs developers still
can't handle them properly, and their QA is unable to detect such silly
and trivial to spot bugs!
regards
Stefan Kanthak
PS: yes, it needs
Apples developers start to develop a sense for safety and security:
stay away from their (Windows) software!
regards
Stefan Kanthak
Timeline:
~
2014-06-06informed vendor
2014-06-06vendor sent automated response
... no more reaction
2014-07-03requested status
-too-ha.html
https://technet.microsoft.com/library/security/ms07-061
Quotes bite, but missing quotes bite too^Wmore!
regards
Stefan Kanthak
PS: the following command lines with unquoted pathnames execute C:\Program.exe:
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media
Player\shell\open
of QA?
And some more to teach beginner courses on (Windows) programming to
your developers?
Long filenames containing spaces are used in Windows for 20 years
now and your developers still dont get them right?
regards
Stefan Kanthak
JFTR: the driver for the HP OfficeJet 6700 is not the only one
\
Au_.exe in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe
regards
Stefan Kanthak
properly.
The problem is not the C language!
The problem is the inconsistent (and sloppy) implemenation of similar
functions of the Win32 API and their inconsistent and sloppy documentation.
regards
Stefan Kanthak
On Sun, Nov 3, 2013 at 4:30 PM, Stefan Kanthak stefan.kant...@nexgo.dewrote:
Hi
() == ERROR_INVALID_PARAMETER or similar.
FIX: ALL interfaces of the Win32 API should^WMUST verify (ALL) their
arguments properly before using them and return an appropriate,
documented error code.
stay tuned
Stefan Kanthak
___
Full-Disclosure - We believe
\Session Manager]
SafeProcessSearchMode=dword:0001
stay tuned
Stefan Kanthak
PS: when filename.bat or filename.cmd are started from Windows
Explorer the console window of the new process shows the icon of
the CMD.EXE found in the 'current working directory' (i.e. the
directory where
https://support.microsoft.com/kb/2826020 alias
http://technet.microsoft.com/security/bulletin/MS13-086
Whoever uses outdated and vulnerable versions of products is just stupid!
Stefan Kanthak
alias
http://technet.microsoft.com/security/bulletin/ms12-034
stay tuned
Stefan Kanthak
PS: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist: the path to EVERY
executable in Windows is well-known, all
to be a security boundary, so such an escalation is not
considered to be a security vulnerability.
2013-10-02report published
stay tuned
Stefan Kanthak
| in a position to carry out these attacks could also carry out many
| other attacks we can't stop. The link provided below explains this in
| detail.
OUCH!
Stefan Kanthak
marks with arguments such as %1 that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.
http://msdn.microsoft.com/library/dd203067.aspx
http://msdn.microsoft.com/library/cc144109.aspx
regards
Stefan Kanthak
the source of the problem!
Instead they introduced things like the security theatre UAC: with
Windows 8 the user account(s) created during setup still have
administrative rights. And Windows 7 introduced the silent elevation
for about 70 of Microsoft own programs...
stay tuned
Stefan Kanthak
PS: if you
Jeffrey Walton wrote:
Hi Stefan,
... administrative rights for every user account
This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.
Hmmm... XP/x64 appears to have a bug such that the second user also
needs to be admin
diligence?
And what about quality assurance?
JFTR: the unqualified filenames used in this cruft are nice targets for
binary planting attacks!
stay tuned
Stefan Kanthak
and insecure programs.
stay tuned
Stefan Kanthak
PS: it's getting worse^Wmore complicated (and as everybody with a
sane mind knows: complexity reduces/ruins safety and security)!
With Windows Vista Microsoft introduced user account control
(really: they surrendered to all those
.
so do we now disable unlink();
Not WE, but the developer.
All functions which are not used in the typical operating
environment of the resp. program (see above) have to be turned
off by default. file handling is NONE of PHPs typical operations!
Stefan Kanthak
.
Stefan Kanthak
Reindl Harald h.rei...@thelounge.net wrote:
Am 11.08.2013 22:15, schrieb Stefan Kanthak:
Reindl Harald h.rei...@thelounge.net wrote:
Am 10.08.2013 16:52, schrieb Tobias Kreidl:
It is for this specific reason that utilities like suPHP can be used as a
powerful tool to at least keep
://support.microsoft.com/kb/835322
When installed via the MSVCRT++ redistributable package,
Windows Update but keeps this component up-to-date!
Stefan Kanthak
Timeline:
~
2013-08-06informed developer
2013-08-06developer replies:
a. EAC was released two months after
-B7D0-4933-B1A9-3707EBACC573}]
UninstallString=C:\\Program Files (x86)\\Intel\\OpenCL
SDK\\2.0\\Uninstall\\setup.exe -uninstall
stay tuned
Stefan Kanthak
PS: if you want to catch such beginners errors place a copy of
http://home.arcor.de/skanthak/download/SENTINEL.EXE as
%SystemDrive
others of
numerous other developers/companies, which come with outdated and
vulnerable MSI merge modules, are installed,
* the current version of the standalone redistributable packages of the
resp. MSCVRT, MFC, ATL etc. are NOT installed,
are (potentially) VULNERABLE!
stay tuned
Stefan
and later only.
Stefan Kanthak
PS: the PDF Preview Handlers which are installed unconditionally on
Windows XP are superfluous too (at least when Outlook 2007 is not
installed).
Cf. http://msdn.microsoft.com/library/cc144143.aspx
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6
report published
Stefan Kanthak
[*] DW20Shared.msi is bundled with numerous other Microsoft products too,
including
* Windows Defender
* Forefront Security ...
* Office 2003 (and every single component of it, Word, Excel, PowerPoint,
Outlook, Visio, Access, Publisher
.
The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.
JFTR: cf. http://seclists.org/fulldisclosure/2011/Sep/160
Stefan Kanthak
\\DeskUpdate.exe
The last entry is a pathname with unquoted spaces and allows the
execution of the rogue programs C:\Program.exe and/or
C:\Program Files.exe, as documented in
http://msdn.microsoft.com/library/ms682425.aspx
Stefan Kanthak
PS: long pathnames containing spaces exist for about 20 years
now
Engine Components\\UNS\\UNS.exe
Stefan Kanthak
.
This command may be called by Windows Update Agent or deployment
agents running under the LocalSystem account.
Timeline:
~
2012-12-05vendor informed
2013-12-06vendor acknowledged report
2013-02-13vendor released fixed version
Stefan Kanthak
:
~
2013-05-03vendor informed
2013-05-05vendor replied:
3CX Phone is freeware, use another software
I second that: don't use software from 3CX!
2013-05-06report published
Stefan Kanthak
of the flash player plugin/activex control wrong!
Tested with MSIE6 to MSIE9 on Windows XP to Windows 7,
and Mozilla Firefox 1x.x on Windows XP and Windows 7.
Stefan Kanthak
PS: Opera doesn't show this error!
!
Stefan Kanthak
2012-11-02report published
Stefan Kanthak
informed maintainer about problems still not fixed
2011-01-12maintainer released current version 0.85.1
2012-03-08asked maintainer for a fix for the vulnerable MSVCRT
2012-03-09maintainer replied planning update before easter
2012-10-03report published
Stefan Kanthak
bit of serious software engineering and due
diligence in your development, build and production processes?
It's a stupid idea to build security software from vulnerable components!
Stefan Kanthak
Timeline
2012-08-24informed vendor support
2012-09-24no reaction/reply from
offer the necessary
update MS11-025, since Windows Update Agent doesnt detect the
improperly installed MSVCRT!
Stefan Kanthak
[1] Application Error Reporting alias Windows Error Reporting
SQL Server 2005 and several subcomponents
SQL Server 2008 and several subcomponents
SQL
:\Program Files\Suite Name
|
| For your support files shared only within the suite:
|
| C:\Program Files\Suite Name\System
but create a mess instead and place numerous copies of these (and some more)
libraries in various different locations!
Stefan Kanthak
Timeline:
2012-03-16problem reported
Stefan Kanthak
Timeline:
2012-05-19vendor informed
... no reaction until
2012-06-25report published
additional inherited access rights.
regards
Stefan Kanthak
---
Vendor was informed and has acknowledged the bug, but won't neither
issue an immediate fix nor even a warning note stating the bug.
regards
Stefan Kanthak
[0] http://support.microsoft.com/kb/919240
[1] http://support.microsoft.com/kb/943043
[2] http://support.microsoft.com/kb/944820
[3] http
and
https://encrypted.google.com/search?num=100safe=offq=%22ssoexec%22+OR+%22ssoreset%22
only find hits that show problems with malware
2012-03-04no more answer from vendor, report published
Stefan Kanthak
Brad Hards br...@frogmouth.net wrote:
On Sunday 19 June 2011 11:37:33 Stefan Kanthak wrote:
soft Xpansion www.soft-xpansion.com distributes their (freeware)
products Perfect PDF 7 Master and Perfect PDF 7 Reader (the
current files are dated 2011-05-10) with OUTDATED and VULNERABLE
Visual C
(no reply)
2011-06-19vulnerability report published
Stefan Kanthak
at all!
2011-06-17 vulnerability report published
Stefan Kanthak
all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.
Vendor was informed via http://www.faststone.org/contactUs.htm,
but did not respond at all!
Stefan Kanthak
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable
StenoPlasma @ ExploitDevelopment stenopla...@exploitdevelopment.com wrote:
Your MUA is defective, it strips the References: header!
Stefan,
For you information:
Cached domain accounts on a local system are not stored in the SAM. They
are stored in the SECURITY registry hive. When a
Andrea Lee and...@kattrap.net wrote:
I hope I'm not just feeding the troll...
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
A local admin is an admin on one system. The domain admin is an admin
George Carlson gcarl...@vccs.edu wrote:
Your objections are mostly true in a normal sense.
And in abnormal sense?
However, it is not true when Group Policy is taken into account.
Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't
StenoPlasma @ www.ExploitDevelopment.com wrote:
Much ado about nothing!
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
There is NO privilege escalation. A local administrator is an
1.0.2
gets downloaded upon start, updated 3 times since then due to
vulnerabilities; see http://www.bzip.org/downloads.html
Users who downloaded this security product before 2010-09-07 should
get a new copy ASAP!
Stefan Kanthak
Timeline:
2010-07-08: informed vendor support
to properly quote command lines,
and their QA seems sound asleep!
Stefan Kanthak
security of customer systems at Nuance?
Stefan Kanthak
Michael Wojcik wrote:
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Saturday, 06 February, 2010 08:21
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff
on Windows,
What exactly do you mean?
Traversing symlinks
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff on
Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of wide symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports junctions, which
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
Stefan
/973552 and
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
Stefan Kanthak
runtime DLLs.
See http://support.microsoft.com/kb/973544 and
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
Stefan Kanthak
Update.
If not, all users of OpenOffice.org (as well as other poorly crafted
software which distributes outdated 3rd-party DLLs) are put at risk!
Stefan Kanthak
pthreadVC2.dll is installed as
%CommonProgramFiles%\TerraTec\Cyberlink\Decoder\pthreadVC2.dll
Stefan Kanthak
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable DLLs. Admin beware!
TIMELINE:
2009-06-16 phone call with Terratec's hotline - they were unable
-)sets the ACLs it overwrites the registry
entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!
I informed Microsoft in the last two years several times about this
problem and discussed it with various members of their Microsoft Security
Response Center, but the problem persists.
Stefan
Dan Kaminsky wrote:
Eric Rescorla wrote:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the
Steve Shockley wrote:
Stefan Kanthak wrote:
2. The typical user authentication won't help, we're at hardware
level here, and no OS needs to be involved.
So, if I understand you correctly, if I boot my machine into DOS the
memory can be read over Firewire?
If DMA is enabled
Larry Seltzer wrote:
I actually do have a response fom Microsoft on the broader issue, but it
doesn't address these issues or even concded that there's necessarily
anything they can do about it. They instead speak of the same
precautions for physical access that they spoke of a couple weeks
, but are not
fool proof.
Stefan Kanthak
only until now.
The zlib32.dll distributed in the installation is now the official
zlib1.dll from zlib.net; due to a lack of an official libbz2.dll this
one is provided by the maintainer.
Stefan Kanthak
| Engine version: 0.91.2
| Scanned directories: 1
| Scanned files: 1
The author and maintainer has been contacted twice via mail in
the last four weeks but choose not to respond at all.
Stefan Kanthak
I wrote Sunday, October 21, 2007 2:18 PM:
Anonymous [EMAIL PROTECTED] wrote Saturday, October 20, 2007 11:55 AM:
As a workaround, one could try to manually replace zlib32.dll in a Windows
GSView 4.8 installation with the current zlib1.dll version 1.2.3.
[...]
Unfortunately the maintainer
.
Stefan Kanthak
BTW: your reply is missing a References: (or In-Reply-To:) header!
Stefan Kanthak
/
that is vulnerable to CA-2007-07 http://www.zlib.net/advisory-2002-03-11.txt.
The zlib.dll included in the versions 7.2, 8.0 and the current 10.0
of their products is dated 1998-07-12 and shows the version 1.1.3.
Stefan Kanthak
CAN-2005-2096.db
| CURL.EXE: CAN-2005-2096.zlib-1.2.2 FOUND
|
| --- SCAN SUMMARY ---
| Known viruses: 16
| Engine version: 0.91.2
| Scanned directories: 1
| Scanned files: 1
Stefan Kanthak
101 - 173 of 173 matches
Mail list logo