\" %*"
Additionally, see <http://support.microsoft.com/kb/905890> as well
as <http://msdn.microsoft.com/library/aa365527.aspx> and set
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"SafeProcessSearchMode"=dword:0001
stay tuned
Stefan
ly says:
| If lpBuffer is NULL, this parameter must be zero.
and checks this contraint properly.
The problem is not the C language!
The problem is the inconsistent (and sloppy) implemenation of similar
functions of the Win32 API and their inconsistent and sloppy documentation.
regards
Stefan Kant
ith
GetLastError() == ERROR_INVALID_PARAMETER or similar.
FIX: ALL interfaces of the Win32 API should^WMUST verify (ALL) their
arguments properly before using them and return an appropriate,
documented error code.
stay tuned
Stefan Kanthak
___
Full
here. I can see an escalation of UAC privileges, but as has
been documented on numerous occasions*, UAC is not considered
to be a security boundary, so such an escalation is not
considered to be a security vulnerability."
2013-10-02rep
System") privileges.
Timeline:
~
2008-04-09informed vendor that MSKB 931906 creates dangling
references and MSIEXEC.EXE /f... prompts user for
location of capicom2.msi
2008-04-11vendor asked: "have you tried removing the update via
le to understand why those
| laws matter.
OUCH! I asked the MSRC again:
| which part of "In Windows Embedded POSReady 2009 UNPRIVILEGED users
| can create the subdirectory "sso\" and the DLL "ssoexec.dll" is not
| understood?
and got the final answer:
| We are aware of
> I am truly shocked that seemingly, stuff like this needs to be said in
> the year of 2013.
Completely right!
> I'd have supposed that things like these should be known by *anyone*
> doing anything even remotely similar to software development *at least*
> since the end of the 8.3 filename era 1
line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.
<http://msdn.microsoft.com/library/dd203067.aspx>
<http://msdn.microsoft.com/lib
Jeffrey Walton wrote:
> Hi Stefan,
>
>> ... administrative rights for every user account
This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.
> Hmmm... XP/x64 appears to have a bug such that the second user also
> needs to be admin (
ccount(s) created during setup still have
administrative rights. And Windows 7 introduced the "silent" elevation
for about 70 of Microsoft own programs...
stay tuned
Stefan Kanthak
PS: if you want to mitigate the wrong design decision that every file
is "executable": add a
nced in this debris are NOT present
in the system image, and all the device drivers who had registry keys
created under [HKEY_LOCAL_MACHINE\SOFTWARE\%vendor%] are missing too.
Whoever built this system image apparently did not start from a clean
environment, installed superfluous components like "LiveMeeting Console"
and "System Center Configuration Management Client", used unsuitable
tools to integrate 3rd-party drivers, and used unsuitable tools to
prepare it for deployment.
Is this trustworthy computing? Software engineering? Due diligence?
And what about quality assurance?
JFTR: the unqualified filenames used in this cruft are nice targets for
binary planting attacks!
stay tuned
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
..." (and fail MISERABLY
if execution is denied there), ...
I recommend that the developers responsible for these crimes against
computer safety and security learn the meaning of the word "DATA"
before they are allowed to pester unsuspecting users with more of
their (by the v
tp://technet.microsoft.com/security/bulletin/ms11-025>
JFTR: See <http://support.microsoft.com/kb/835322>
When installed via the MSVCRT++ redistributable package,
Windows Update but keeps this component up-to-date!
Stefan Kanthak
Timeline:
~
2013-08-06informe
and:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine
Components\\LMS\\LMS.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS]
"ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
and 3 times on a fully patched 2003)
- MSVCRT.DLL & MSVCIRT.DLL
- MSVC?80.DLL
- MSVC?90.DLL
- MFC*.DLL
- ATL*.DLL
- VCOMP*.DLL
Cf. <http://msdn.microsoft.com/library/ms235624.aspx>
For Windows Vista and later: run the command given above and see yoursel
ty products like Adobe Reader/Acrobat and numerous others of
numerous other developers/companies, which come with outdated and
vulnerable MSI merge modules, are installed,
* the current version of the standalone "redistributable packages" of the
resp. MSCVRT, MFC, ATL etc. are NOT
61C-B233-4994-AFB1-C158EE4FC578}]
"Policy"=dword:0003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="AcroRd32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{A2397324-4D73-487
Hi @ll,
many (if not most of the) Windows system utilities and system routines
(including the kernel and its subsystems) as well as many user programs
(including the "shell" Windows Explorer, Windows Media Player, Internet
Explorer, Microsoft Office, etc.) load libraries/satellites at runtime
via
ies
2012-11-29asked vendor what MS09-035 and MS11-025 are good for
then, and for the purpose of their recommendations and
FAQ
...
2013-06-03report published
Stefan Kanthak
[*] DW20Shared.msi is bundled with numerous other Microsoft products too,
inc
OMEDRIVE%%HOMEPATH%" and typically equal to
"%USERPROFILE%") can be run instead of the intended executable
"%SystemRoot%\System32\MsiExec.Exe".
The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHSSecurityMgr]
"ImagePath"=expand:"""C:\\Program
Files\\Intel\\BluetoothHS\\BTHSSecurityMgr.exe"""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UNS]
"ImagePath"=expand:"""
RE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\Shell\Open\Command]
@="C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe"
The last entry is a pathname with unquoted spaces and allows the
execution of the rogue programs "C:\Program.exe" and/or
"C:\Program Fil
e System\bin\webserver\"
This is the current version (released 2012-05-31), but built with
vulnerable components too (see above), so yet another company that
is unable to keep its software uptodate and protect its customers.
Timeline:
~
2013-05-05vendor informed
2013-05
CVEs since
1.1.0.
Timeline:
~
2013-05-03vendor informed
2013-05-05vendor replied:
"3CX Phone is freeware, use another software"
I second that: don't use software from 3CX!
2013-05-06report published
Stefan Kanthak
___
me Fujitsu for
including this superfluous crapware in their factory
preinstallation!
Timeline:
~
2013-04-22informed vendor
2013-04-24vendor replied:
the preinstalled software has been selected according to
current st
ty Client\\Setup.exe /X"
contains unquoted spaces.
This command may be called by Windows Update Agent or deployment
agents running under the LocalSystem account.
Timeline:
~
2012-12-05vendor informed
2013-12-06vendor acknowledged report
2013-02-13
Apparently both web browsers handle the return code(s) from the
denied loading of the flash player plugin/activex control wrong!
Tested with MSIE6 to MSIE9 on Windows XP to Windows 7,
and Mozilla Firefox 1x.x on Windows XP and Windows 7.
Stefan Kanthak
PS: Opera doesn't show this error!
__
shed
Recommendation:
~~~
Stay away from products of vendors/companies who dont follow even the
most basic principles of software engineering!
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
vendor informed
no reaction from vendor
2012-11-02report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
intainer replied "planning update before easter"
2012-10-03report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Dell Inc.: Don't you have any QA? Can't afford one?
UPEK Inc.: Don't you have any QA? Can't afford one?
Wave Corp.: Don't you have any QA? Can't afford one?
NTRU Inc.: Don't you have any QA? Can't afford one?
What about just a little bit of serious so
(parts of) the component "Microsoft Visual C++ Runtime".
They are missing!
How should a user follow Microsoft's recommendation if s/he doesnt
even know that there are (parts of) vulnerable components installed?
Step 4:
Start "Windows Update" or "Microsoft
endors
>>gain/loss of reputation, gain/loss of stock value, loss of money in court
>>cases or due to compensations, loss of (future) sales due to
>>(dis-)satisfied
>>customers, ...
>>
>>Joe Average can't tell the difference between a program which is designed,
>>developed, built and maintained according to the state of the art, and
>>some
>>piece of crap that is not. He but only sees the (nice or promising) GUI of
>>the product and it's price tag.
>>
>>Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
future) sales due to (dis-)satisfied
customers, ...
Joe Average can't tell the difference between a program which is designed,
developed, built and maintained according to the state of the art, and some
piece of crap that is not. He but only sees the (nice or promising) GUI of
the pr
NT5.x
via addition of a file
--- \i386\MIGRATE.INF or \amd64\MIGRATE.INF ---
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[AddReg]
; Disable creation of 8.3 DOS filenames (see MSKB 121007 & 210638)
HKLM,"System\ControlSet
iles\Suite Name
|
| For your support files shared only within the suite:
|
| C:\Program Files\Suite Name\System
but create a mess instead and place numerous copies of these (and some more)
libraries in various different locations!
Stefan Kanthak
Timeline:
2012-03-16problem reported
2012
="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MA
n its security descriptor... before
the call. Afterwards, SE_DACL-PROTECTED is gone, and "%ALLUSERSPROFILE%"
got additional inherited access rights.
regards
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
"%TEMP%\AFTER.ACL" /C /T
"%SystemRoot%\System32\ICACLS.EXE" "%~1" /Restore "%TEMP%\BEFORE.ACL" /C
"%SystemRoot%\System32\FC.EXE" /U "%TEMP%\BEFORE.ACL" "%TEMP%\AFTER.ACL"
Del "%TEMP%\BEFORE.ACL" "%TEMP%\AFTER.ACL&q
de clarification soon."
2012-02-06vendor replies:
"this reference in no way indicates there is or ever was a
virus on our build systems."
2012-02-08asked vendor to consider that both
<http://www.bing.com/search?q=ssoexec> and
normal bug triage process, and they may contact you directly
if they need further information.
2011-11-14publish vulnerability report
Stefan Kanthak
JFTR: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist
ME "%APPDATA%"
Set LOCALAPPDATA=%DIRNAME%%BASENAME%
Set BASENAME=
Set DIRNAME=
Goto :EOF
:BASENAME
Set BASENAME=%~nx1
Goto :EOF
:DIRNAME
Set DIRNAME=%~dp1
Goto :EOF
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
"Thor (Hammer of God)" wrote:
Would you mind to break the lines of your posts near column 70?
>>From your blog:
[ ... ]
> I would say "our self-serving and marketing-oriented minds remain
> challenged to understand what security really is, but regardless,
> continue to find ways of trying to c
(no reply)
2011-06-19vulnerability report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
me vulnerable libraries
already included in v4.21
vendor obviously doesn't care about security at all!
2011-06-17 vulnerability report published
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
/infozip.org/FAQ.html#corruption> all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.
Vendor was informed via <http://www.faststone.org/contactUs.htm>,
but did not respond at all!
Stefan Kanthak
PS: Tools like Secunia's
"Andrea Lee" wrote:
> I hope I'm not just feeding the troll...
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
> A local admin is an admin on one system. The domain admin is an admin
> on all system
"StenoPlasma @ ExploitDevelopment" wrote:
Your MUA is defective, it strips the "References:" header!
> Stefan,
>
> For you information:
>
> Cached domain accounts on a local system are not stored in the SAM. They
> are stored in the SECURITY registry hive. When a cached domain user logs
>
"Jeremy SAINTOT" wrote:
> Correct me if I'm wrong, but here is what I think of that :
You are wrong!
> A Domain user that is a Local admin of his workstation is different than
> a Domain user which is Domain Admin.
A local administrator has all the powers on his computer, while a domain
admi
"George Carlson" wrote:
> Your objections are mostly true in a normal sense.
And in abnormal sense?
> However, it is not true when Group Policy is taken into account.
Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't connect to th
"StenoPlasma @ www.ExploitDevelopment.com" wrote:
Much ado about nothing!
> TITLE:
> Flaw in Microsoft Domain Account Caching Allows Local Workstation
> Admins to Temporarily Escalate Privileges and Login as Cached Domain
> Admin Accounts
There is NO privilege escalation. A local administrator i
l.org/news/> and
<http://openssl.org/news/vulnerabilities.html>
3. bzip2.exe: version 1.0.2
gets downloaded upon start, updated 3 times since then due to
vulnerabilities; see <http://www.bzip.org/downloads.html>
Users who downloaded this "security" product before
Christian Sciberras wrote:
>> Yes. Once again: get your homework done!
>>
>>> http://www.codeproject.com/KB/DLL/dynamicdllloading.aspx
>>
>> That's a double DYNAMIC there!
>
> Did you even bother to read the article? The very first paragraph
> states the difference between the two.
>
> Oh, and f
Christian Sciberras wrote:
>> No. Guess where the D in DLL comes from!
>> Static linking occurs when the linker builds a binary (this might be a
>> DLL.-) using *.OBJ and *.LIB.
>> Dynamic linking occurs when the loader loads a binary (again: this might
>> be a DLL) into memory and resolves its de
Christian Sciberras wrote:
>> and failed to use it right!
>
> Well, I suppose I could have used neat tricks such as specifically and
> directly loading the "bad" dll.
> But as much as security goes, those are cheap tricks.
Wrong again! You dont need tricks, you need to understand Windows' DLL
se
Dan Kaminsky wrote:
> On Tue, Sep 14, 2010 at 6:07 PM, Stefan Kanthak
> wrote:
>> Dan Kaminsky wrote:
>>> Short version: Go see how many DLLs exist outside of c:\windows\system32.
>>> Look, ye mighty, and despair when you realize all those apps would be broken
>
Paul Szabo wrote:
> Christian Sciberras wrote:
>
>> ... the user has opened the "bad" file ...
>
> The victim "views" a "data" file, does not (directly) run an executable.
> The data file could be as harmless as a Word document or a plain-text
> file.
Word (resp. MS Office) documents ain't har
Dan Kaminsky wrote:
> h0h0h0. There be history, Larry.
>
> Short version: Go see how many DLLs exist outside of c:\windows\system32.
> Look, ye mighty, and despair when you realize all those apps would be broken
> by CWD DLL blocking.
No, that's the too much shortened version.
The correct versi
Christian Sciberras wrote:
> I wrote my own example POC.
and failed to use it right!
[...]
> DHPOC\example\the-install-folder\
> DHPOC\example\the-install-folder\dhpocApp.exe
> DHPOC\example\the-install-folder\dhpocDll.dll
> DHPOC\example\the-remote-folder
> DHPOC\example\the-remote-folder\exam
wrote:
> Fyodor wrote:
>
>>> nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability.
>>
>> Nmap is not vulnerable. DLL hijacking works because of an unfortunate
>> interaction between apps which register Windows file extensions and
>> the default Windows DLL search path used for tho
Christian Sciberras wrote:
> I can't take THAT seriously. At least not all of it.
>
> The part that interested me most:
>
>> 4. Should I find such vulnerability in many applications as I can?
>>
>> You should not. It's just a waste of time and your energy. Focus on most
>> popular application
ible team
2010-06-26 no reaction; disclosure
Who cares about software engineering and the build process at Nuance?
Who cares about security of customer systems at Nuance?
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Michael Wojcik wrote:
>> From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
>> Sent: Monday, 08 February, 2010 16:33
>>
>> Michael Wojcik wrote:
>>
>> >> From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
>> >> Sent: Saturday, 06 Fe
Michael Wojcik wrote:
>> From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
>> Sent: Saturday, 06 February, 2010 08:21
>>
>> Dan Kaminsky wrote:
>>
>> [...]
>>
>> > (On a side note, you're not going to see this sort of symlin
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
> You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
Stefan
___
Full-Disclosure - We believe in it.
Cha
Dan Kaminsky wrote:
[...]
> (On a side note, you're not going to see this sort of symlink stuff on
> Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of "wide" symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports "junctions", which
s KB973551, IFF the Windows administrator has opt'd-in
to "Microsoft Update".
If not, all users of OpenOffice.org (as well as other poorly crafted
software which distributes outdated 3rd-party DLLs) are put at risk!
Stefan Kanthak
___
Full-
lication CynergyDVR.EXE, which but uses XMLLITE.DLL
(<http://support.microsoft.com/kb/915865/en-us>) instead.
4. A superfluous pthreadVC2.dll is installed as
"%CommonProgramFiles%\TerraTec\Cyberlink\Decoder\pthreadVC2.dll"
Stefan Kanthak
PS: Tools like Secunia's PSI
ral times about this
problem and discussed it with various members of their Microsoft Security
Response Center, but the problem persists.
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sicher im Netz", see
<https://www.sicher-im-netz.de/wir_ueber_uns/146.aspx>) and its
security officer, both per mail and phone (where available).
Response(s): NONE
Reaction(s): NONE
Stefan Kanthak
PS: <http://service.t-online.de/c/12/70/85/92/12708592.html>
states th
Dan Kaminsky wrote:
>
>
> Eric Rescorla wrote:
>> At Fri, 8 Aug 2008 17:31:15 +0100,
>> Dave Korn wrote:
>>
>>> Eric Rescorla wrote on 08 August 2008 16:06:
>>>
>>>
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
> However, since the CRLs will almost certain
group policies, not including system-wide
>security settings, maybe circumvented, even by a limited user.
Right. The point is that group policies can/might help, but are not
"fool proof".
Stefan Kanthak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Larry Seltzer wrote:
> I actually do have a response fom Microsoft on the broader issue, but it
> doesn't address these issues or even concded that there's necessarily
> anything they can do about it. They instead speak of the same
> precautions for physical access that they spoke of a couple wee
73 matches
Mail list logo
