Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-06 Thread Georgi Guninski
On Mon, Sep 05, 2011 at 07:50:51PM +, Thor (Hammer of God) wrote:
 Excellent points - one slight addition, though:
 
 In fact, the Windows Script Host software is mostly used to write system 
 maintenance scripts, 
 so it's obvious its scripts can't be restricted or they'd be useless.
 
 Scripts can certainly be restricted based on the account context they are 
 executed under.   There is actually plenty one can do with normal user 
 scripts, but as you've pointed out, many of the options admins require 
 scripts for need escalated privileges.   This is obviously be design, and it 
 helps to keep admins aware of best practices when choosing to deploy 
 solutions via scripting.  There are, of course, many many other ways once can 
 accomplish system maintenance in a more secure way such as WMI, PS (which can 
 require signed scripts) and of course GPO and/or any other number of 
 solutions.  
 
 I thought it important to outline that since, in my experience with real 
 admins, WSH is actually *not* used mostly for system maintenance per se, but 
 for standard automation.   Using scripts to perform actual administrative 
 tasks/maintenance is just a bad idea to begin with.  


you mean to perform actual administrative tasks/maintenance 
``real admins'' just click with the mouse on the platform in this thread?

-- 
joro

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-05 Thread Mario Vilas
Paul,

Those file extensions correspond to scripts. If a file contains a script
that runs when the file is double clicked, and the scripting engine is not
sandboxed (meaning the script can do the same things an executable file can
do) then the attack is meaningless. You can simply have the script inside
the file do malicious things instead of planting a DLL.

Binary planting, regardless of the discussion about it being a
vulnerability or not, in any case only makes sense when the file only
contains static data, or when the file contains executable code that would
normally not have the same privileges as a standard executable file. (A
script that doesn't get executed when double clicking on it -for example if
a text editor is opened instead- would be the same case as in a data file).

I've never used .js or .jse scripts on Windows, but all the other extensions
are patently not sandboxed scripts. In fact, the Windows Script Host
software is mostly used to write system maintenance scripts, so it's obvious
its scripts can't be restricted or they'd be useless. I'm guessing the same
applies to .js and .jse then, and of course I wouldn't mind seeing proof
that it doesn't. However the links you provided don't really prove anything
(the first one even says this is not a complete list, and I admit I've
only glanced the second one but it seems unrelated, as it applies to file
transfers on Microsoft Sharepoint).

Planting a DLL file to be executed at the same time as other executable file
is just a convoluted way of doing the same thing. It *may* be used in some
strange, artificial situations, but I'm not convinced there aren't better
ways to do it, and in any case it doesn't justify an advisory. And judging
from what the timeline reads, I believe Microsoft simply ignored this one.

I hope my explanation helped :)
-Mario

On Mon, Sep 5, 2011 at 12:54 AM, paul.sz...@sydney.edu.au wrote:

  Application: wscript.exe
  Extensions: js, jse, vbe, vbs, wsf, wsh
  Library: wshesn.dll

 Many people commented that the above extensions are executable
 already, so are (should be) treated with caution, or that they
 can be trojaned directly without any DLL load shenanigans.

 However... looking at
 http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx

 http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
 I do not see JS listed as executable, though JSE is listed.

 Looking at
 http://msdn.microsoft.com/en-us/library/ms722429.aspx
 I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
 machine, none of the above extensions are designated.

 Maybe DLL hijacking is useful for some of these file types, after all?

 Cheers, Paul

 Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
 School of Mathematics and Statistics   University of SydneyAustralia

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-05 Thread Georgi Guninski
lol, the japanese ddosed their children and the official version is they tried 
to entertain them.

the official version appears as fuzzing while not knowing doing so.

-- 
joro

On Sun, Sep 04, 2011 at 05:34:00PM +, Thor (Hammer of God) wrote:
 Something like Pokemon malware would be awesome:
 
 http://faculty.washington.edu/chudler/pokemon.html
 
 t
 
 
 -Original Message-
 From: Georgi Guninski [mailto:gunin...@guninski.com] 
 Sent: Sunday, September 04, 2011 9:20 AM
 To: valdis.kletni...@vt.edu
 Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk
 Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host 
 DLL Hijacking
 
 On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote:
  
  Prediction 1: 10 years from now, organized crime will be hiring 
  cognitive psychologists to help design more effective phish the way 
  they currently hire programmers to write better spambots.
 
 wouldn't it be more profitable to develop a brain exploit (like what news 
 write)?
 
 human brain doesn't seem suited enough for rooted computer output.
 
 to my knowledge 25th frame is banned in TV.
 
 if someone *releases* (partial) hypnosis malware this might be profitable and 
 change the meaning of botnet.
 
 --
 joro

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-05 Thread root
I agree, in some remote scenario this may work, but doesn't justify an
advisory.

Off-topic:

First Insect PRO, and now this?
What's happening fellow Latin-americans? our standards are falling.
Please behave, this is the Internet!





On 09/05/2011 07:33 AM, Mario Vilas wrote:
 Paul,
 
 Those file extensions correspond to scripts. If a file contains a script
 that runs when the file is double clicked, and the scripting engine is not
 sandboxed (meaning the script can do the same things an executable file can
 do) then the attack is meaningless. You can simply have the script inside
 the file do malicious things instead of planting a DLL.
 
 Binary planting, regardless of the discussion about it being a
 vulnerability or not, in any case only makes sense when the file only
 contains static data, or when the file contains executable code that would
 normally not have the same privileges as a standard executable file. (A
 script that doesn't get executed when double clicking on it -for example if
 a text editor is opened instead- would be the same case as in a data file).
 
 I've never used .js or .jse scripts on Windows, but all the other extensions
 are patently not sandboxed scripts. In fact, the Windows Script Host
 software is mostly used to write system maintenance scripts, so it's obvious
 its scripts can't be restricted or they'd be useless. I'm guessing the same
 applies to .js and .jse then, and of course I wouldn't mind seeing proof
 that it doesn't. However the links you provided don't really prove anything
 (the first one even says this is not a complete list, and I admit I've
 only glanced the second one but it seems unrelated, as it applies to file
 transfers on Microsoft Sharepoint).
 
 Planting a DLL file to be executed at the same time as other executable file
 is just a convoluted way of doing the same thing. It *may* be used in some
 strange, artificial situations, but I'm not convinced there aren't better
 ways to do it, and in any case it doesn't justify an advisory. And judging
 from what the timeline reads, I believe Microsoft simply ignored this one.
 
 I hope my explanation helped :)
 -Mario
 
 On Mon, Sep 5, 2011 at 12:54 AM, paul.sz...@sydney.edu.au wrote:
 
 Application: wscript.exe
 Extensions: js, jse, vbe, vbs, wsf, wsh
 Library: wshesn.dll

 Many people commented that the above extensions are executable
 already, so are (should be) treated with caution, or that they
 can be trojaned directly without any DLL load shenanigans.

 However... looking at
 http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx

 http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
 I do not see JS listed as executable, though JSE is listed.

 Looking at
 http://msdn.microsoft.com/en-us/library/ms722429.aspx
 I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
 machine, none of the above extensions are designated.

 Maybe DLL hijacking is useful for some of these file types, after all?

 Cheers, Paul

 Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
 School of Mathematics and Statistics   University of SydneyAustralia

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 
 
 
 
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-05 Thread Thor (Hammer of God)
Excellent points - one slight addition, though:

In fact, the Windows Script Host software is mostly used to write system 
maintenance scripts, 
so it's obvious its scripts can't be restricted or they'd be useless.

Scripts can certainly be restricted based on the account context they are 
executed under.   There is actually plenty one can do with normal user 
scripts, but as you've pointed out, many of the options admins require scripts 
for need escalated privileges.   This is obviously be design, and it helps to 
keep admins aware of best practices when choosing to deploy solutions via 
scripting.  There are, of course, many many other ways once can accomplish 
system maintenance in a more secure way such as WMI, PS (which can require 
signed scripts) and of course GPO and/or any other number of solutions.  

I thought it important to outline that since, in my experience with real 
admins, WSH is actually *not* used mostly for system maintenance per se, but 
for standard automation.   Using scripts to perform actual administrative 
tasks/maintenance is just a bad idea to begin with.  

t


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-05 Thread Mario Vilas
On Mon, Sep 5, 2011 at 7:45 PM, root ro...@fibertel.com.ar wrote:

 Off-topic:

 First Insect PRO, and now this?
 What's happening fellow Latin-americans? our standards are falling.
 Please behave, this is the Internet!


[image: The_Internet_is_Serious_Business - Low.jpg]


-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
The_Internet_is_Serious_Business - Low.jpg___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-04 Thread IA64 LOL
dll hijacking, so 2010. wtf is this shit, its been a year since this
class of vulns became mainstream infosuck.

On 09/02/2011 05:59 PM, Mario Vilas wrote:
 If it's a trusted .vbs then how would you drop a .dll in the same directory?
 If you have write permissions it's easier to just modify the .vbs.
 
 You might as well claim the added value is to backdoor a .vbs file
 subrepticiously so it doesn't show when inspecting the source code. But it
 doesn't add that much, really, since a new and misterious .dll file would
 also draw the attention, so it's probably easier to hide malicious intent
 into the source code by obfuscating it.
 
 On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote:
 
 List,

 On 09/02/2011 06:45 PM, root wrote:
 You don't get the worst part: unsuccessful exploitation also leads to
 code execution.
 Scary stuff.

 On 09/02/2011 05:05 PM, Mario Vilas wrote:
 Are you guys seriously reporting that double clicking on a malicious
 .vbs
 file could lead to remote code execution? :P

 Either I'm missing something (and I'd welcome a rebuttal here!) or you
 might
 as well add .exe to that list. All those extensions are already
 executable.

 I think that they're talking about that executing a trusted vbs could
 lead to the execution of malicious code.

 :S

 regards,
 --
 Nahuel Grisolia - C|EH
 Information Security Consultant
 Bonsai Information Security Project Leader
 http://www.bonsai-sec.com/
 (+54-11) 4777-3107

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 
 
 
 
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-04 Thread Georgi Guninski
On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote:
 
 Prediction 1: 10 years from now, organized crime will be hiring cognitive
 psychologists to help design more effective phish the way they currently hire
 programmers to write better spambots.

wouldn't it be more profitable to develop a brain exploit (like what news 
write)?

human brain doesn't seem suited enough for rooted computer output.

to my knowledge 25th frame is banned in TV.

if someone *releases* (partial) hypnosis malware this might be profitable and 
change the meaning of botnet.

-- 
joro

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-04 Thread Thor (Hammer of God)
Something like Pokemon malware would be awesome:

http://faculty.washington.edu/chudler/pokemon.html

t


-Original Message-
From: Georgi Guninski [mailto:gunin...@guninski.com] 
Sent: Sunday, September 04, 2011 9:20 AM
To: valdis.kletni...@vt.edu
Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host 
DLL Hijacking

On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote:
 
 Prediction 1: 10 years from now, organized crime will be hiring 
 cognitive psychologists to help design more effective phish the way 
 they currently hire programmers to write better spambots.

wouldn't it be more profitable to develop a brain exploit (like what news 
write)?

human brain doesn't seem suited enough for rooted computer output.

to my knowledge 25th frame is banned in TV.

if someone *releases* (partial) hypnosis malware this might be profitable and 
change the meaning of botnet.

--
joro

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-04 Thread Valdis . Kletnieks
On Fri, 02 Sep 2011 18:05:32 PDT, IA64 LOL said:
 dll hijacking, so 2010. wtf is this shit, its been a year since this
 class of vulns became mainstream infosuck.

Just remember - NBC advertised its summer reruns as If you didn't
see it before, it's new to you...  That, combined with the fact that
there's always new people entering the field, means we're stuck
with a September that never ended scenario.

The sad part is that for the people entering Benoit College this
fall, it has *always* been September.


pgpokloroI30l.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-04 Thread paul . szabo
 Application: wscript.exe
 Extensions: js, jse, vbe, vbs, wsf, wsh
 Library: wshesn.dll

Many people commented that the above extensions are executable
already, so are (should be) treated with caution, or that they
can be trojaned directly without any DLL load shenanigans.

However... looking at
http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
I do not see JS listed as executable, though JSE is listed.

Looking at
http://msdn.microsoft.com/en-us/library/ms722429.aspx
I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
machine, none of the above extensions are designated.

Maybe DLL hijacking is useful for some of these file types, after all?

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-04 Thread James Condron
Paul,

I only run windows on one machine, my workstation in the office, so my results 
aren't indicative of every system- indeed this may be a quirk of our AD, in 
which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, 
but both extensions you list were executable.

Admittedly I haven't checked all of the others yet, mileage may vary.

Either way there is no accounting for taste; some cases will make this less an 
attack in and of its self and more will show this as a further social 
engineering payload, albeit one which requires tricking someone to download 
several layers of code and still executing it.

On 4 Sep 2011, at 23:54, paul.sz...@sydney.edu.au wrote:

 Application: wscript.exe
 Extensions: js, jse, vbe, vbs, wsf, wsh
 Library: wshesn.dll
 
 Many people commented that the above extensions are executable
 already, so are (should be) treated with caution, or that they
 can be trojaned directly without any DLL load shenanigans.
 
 However... looking at
 http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
 http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
 I do not see JS listed as executable, though JSE is listed.
 
 Looking at
 http://msdn.microsoft.com/en-us/library/ms722429.aspx
 I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
 machine, none of the above extensions are designated.
 
 Maybe DLL hijacking is useful for some of these file types, after all?
 
 Cheers, Paul
 
 Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
 School of Mathematics and Statistics   University of SydneyAustralia
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread Mario Vilas
Are you guys seriously reporting that double clicking on a malicious .vbs
file could lead to remote code execution? :P

Either I'm missing something (and I'd welcome a rebuttal here!) or you might
as well add .exe to that list. All those extensions are already executable.

On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote:

 **
 Advisory Name: Windows Script Host DLL Hijacking

 Internal Cybsec Advisory Id:
 2011-0901-Windows Script Host DLL Hijacking

 Vulnerability Class:
 Remote Command Execution Vulnerability

 Release Date:
 September 2, 2011

 Affected Applications:
 Windows Script Host v5.6; other versions may also be affected

 Affected Platforms:
 Any running Windows Script Host v5.6

 Local / Remote:
 Remote / Local

 Severity:
 High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

 Researcher:
 Juan Manuel Garcia

 Vendor Status:
 Acknowedged

 Reference to Vulnerability Disclosure Policy
 : http://www.cybsec.com/vulnerability_policy.pdf

 Vulnerability Description:

 DLL Hijacking takes advantage of the way an application dynamically

 loads dll libraries without specifying a fully qualified path. This is

 usually done invoking the LoadLibrary and LoadLibraryEx functions to

 dynamically load DLLs.

 In order to exploit this vulnerability a user must open a file with an

 extension associated to the vulnerable application. A malicious dll,

 named exactly as a dll the apllications loads using the vulnerable

 function, must be placed in the same directory as the opened file.

 The application will then load the malicious dll instead of the

 original, thus executing the malicious code.

 The following application loads external libraries following an
 insufficiently qualified path.

 Application: wscript.exe

 Extensions: js, jse, vbe, vbs, wsf, wsh

 Library: wshesn.dll

 Exploit:

 Option 1 - Using the “msfpayload” Metasploit module as shown below:

 msfpayload windows/exec CMD=calc.exe D  exploit.dll

 Option 2 - Using the “webdav_dll_hijacker” Metasploit module.

 Impact:

 A successful exploit of this vulnerability leads to arbitrary code
 execution.

 Vendor Response:

 2011/08/09 – Vulnerability was identified.

 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of
 Concept.

 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on
 ongoing investigations”.

 2011/08/19 – Vendor was informed that the security advisory would be
 published after 15 days.

 2011/09/02 – Vulnerability was released.

 Contact Information:

 For more information regarding the vulnerability feel free to contact the
 researcher at

 jmgarcia at cybsec dot com

 About CYBSEC S.A. Security Systems

 Since 1996,
 CYBSEC is engaged exclusively in rendering professional services
 specialized in

 Information Security. Their area of services covers Latin America, Spain
 and over 250 customers are a

 proof of their professional life.

 To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
 associated with other

 software and/or hardware provider companies.

 Our services are strictly focused on Information Security, protecting our
 clients from emerging security

 threats, maintaining their IT deployments available, safe, and reliable.

 Beyond professional services, CYBSEC is continuously researching new
 defense and attack techniques

 and contributing with the security community with high quality information
 exchange.

 For more information, please visit www.cybsec.com

 (c) 2011 - CYBSEC S.A. Security Systems

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread Thor (Hammer of God)
LOL.  Warning, if you get the user to execute code, then it is possible to get 
the user to execute code!!  All you have to do is get files on their system, 
and then get them to execute those files!   Note that once you get the user to 
execute the code, it will actually run in the context of that user!!  This is 
remote code execution vulnerability!

Welcome to today's Infosec!

t

From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas
Sent: Friday, September 02, 2011 1:06 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host 
DLL Hijacking

Are you guys seriously reporting that double clicking on a malicious .vbs file 
could lead to remote code execution? :P

Either I'm missing something (and I'd welcome a rebuttal here!) or you might as 
well add .exe to that list. All those extensions are already executable.
On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs 
cybsecl...@cybsec.commailto:cybsecl...@cybsec.com wrote:
Advisory Name: Windows Script Host DLL Hijacking

Internal Cybsec Advisory Id:
2011-0901-Windows Script Host DLL Hijacking

Vulnerability Class:
Remote Command Execution Vulnerability

Release Date:
September 2, 2011

Affected Applications:
Windows Script Host v5.6; other versions may also be affected

Affected Platforms:
Any running Windows Script Host v5.6

Local / Remote:
Remote / Local

Severity:
High - CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Researcher:
Juan Manuel Garcia

Vendor Status:
Acknowedged

Reference to Vulnerability Disclosure Policy
: http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:

DLL Hijacking takes advantage of the way an application dynamically

loads dll libraries without specifying a fully qualified path. This is

usually done invoking the LoadLibrary and LoadLibraryEx functions to

dynamically load DLLs.

In order to exploit this vulnerability a user must open a file with an

extension associated to the vulnerable application. A malicious dll,

named exactly as a dll the apllications loads using the vulnerable

function, must be placed in the same directory as the opened file.

The application will then load the malicious dll instead of the

original, thus executing the malicious code.

The following application loads external libraries following an insufficiently 
qualified path.
Application: wscript.exe
Extensions: js, jse, vbe, vbs, wsf, wsh
Library: wshesn.dll

Exploit:
Option 1 - Using the msfpayload Metasploit module as shown below:

msfpayload windows/exec CMD=calc.exe D  exploit.dll
Option 2 - Using the webdav_dll_hijacker Metasploit module.

Impact:

A successful exploit of this vulnerability leads to arbitrary code execution.

Vendor Response:

2011/08/09 - Vulnerability was identified.

2011/08/19 - Cybsec sent detailed information on the issue and a Proof of 
Concept.

2011/08/19 - Vendor stated: As a matter of policy, we cannot comment on 
ongoing investigations.

2011/08/19 - Vendor was informed that the security advisory would be published 
after 15 days.

2011/09/02 - Vulnerability was released.

Contact Information:

For more information regarding the vulnerability feel free to contact the 
researcher at

jmgarcia at cybsec dot com

About CYBSEC S.A. Security Systems

Since 1996,
CYBSEC is engaged exclusively in rendering professional services specialized in

Information Security. Their area of services covers Latin America, Spain and 
over 250 customers are a

proof of their professional life.

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is 
associated with other

software and/or hardware provider companies.

Our services are strictly focused on Information Security, protecting our 
clients from emerging security

threats, maintaining their IT deployments available, safe, and reliable.

Beyond professional services, CYBSEC is continuously researching new defense 
and attack techniques

and contributing with the security community with high quality information 
exchange.

For more information, please visit www.cybsec.comhttp://www.cybsec.com

(c) 2011 - CYBSEC S.A. Security Systems

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
There's a reason we separate military and the police: one fights the enemy of 
the state, the other serves and protects the people. When the military becomes 
both, then the enemies of the state tend to become the people.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread root
You don't get the worst part: unsuccessful exploitation also leads to
code execution.
Scary stuff.

On 09/02/2011 05:05 PM, Mario Vilas wrote:
 Are you guys seriously reporting that double clicking on a malicious .vbs
 file could lead to remote code execution? :P
 
 Either I'm missing something (and I'd welcome a rebuttal here!) or you might
 as well add .exe to that list. All those extensions are already executable.
 
 On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote:
 
 **
 Advisory Name: Windows Script Host DLL Hijacking

 Internal Cybsec Advisory Id:
 2011-0901-Windows Script Host DLL Hijacking

 Vulnerability Class:
 Remote Command Execution Vulnerability

 Release Date:
 September 2, 2011

 Affected Applications:
 Windows Script Host v5.6; other versions may also be affected

 Affected Platforms:
 Any running Windows Script Host v5.6

 Local / Remote:
 Remote / Local

 Severity:
 High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

 Researcher:
 Juan Manuel Garcia

 Vendor Status:
 Acknowedged

 Reference to Vulnerability Disclosure Policy
 : http://www.cybsec.com/vulnerability_policy.pdf

 Vulnerability Description:

 DLL Hijacking takes advantage of the way an application dynamically

 loads dll libraries without specifying a fully qualified path. This is

 usually done invoking the LoadLibrary and LoadLibraryEx functions to

 dynamically load DLLs.

 In order to exploit this vulnerability a user must open a file with an

 extension associated to the vulnerable application. A malicious dll,

 named exactly as a dll the apllications loads using the vulnerable

 function, must be placed in the same directory as the opened file.

 The application will then load the malicious dll instead of the

 original, thus executing the malicious code.

 The following application loads external libraries following an
 insufficiently qualified path.

 Application: wscript.exe

 Extensions: js, jse, vbe, vbs, wsf, wsh

 Library: wshesn.dll

 Exploit:

 Option 1 - Using the “msfpayload” Metasploit module as shown below:

 msfpayload windows/exec CMD=calc.exe D  exploit.dll

 Option 2 - Using the “webdav_dll_hijacker” Metasploit module.

 Impact:

 A successful exploit of this vulnerability leads to arbitrary code
 execution.

 Vendor Response:

 2011/08/09 – Vulnerability was identified.

 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of
 Concept.

 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on
 ongoing investigations”.

 2011/08/19 – Vendor was informed that the security advisory would be
 published after 15 days.

 2011/09/02 – Vulnerability was released.

 Contact Information:

 For more information regarding the vulnerability feel free to contact the
 researcher at

 jmgarcia at cybsec dot com

 About CYBSEC S.A. Security Systems

 Since 1996,
 CYBSEC is engaged exclusively in rendering professional services
 specialized in

 Information Security. Their area of services covers Latin America, Spain
 and over 250 customers are a

 proof of their professional life.

 To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
 associated with other

 software and/or hardware provider companies.

 Our services are strictly focused on Information Security, protecting our
 clients from emerging security

 threats, maintaining their IT deployments available, safe, and reliable.

 Beyond professional services, CYBSEC is continuously researching new
 defense and attack techniques

 and contributing with the security community with high quality information
 exchange.

 For more information, please visit www.cybsec.com

 (c) 2011 - CYBSEC S.A. Security Systems

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 
 
 
 
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread Nahuel Grisolia
List,

On 09/02/2011 06:45 PM, root wrote:
 You don't get the worst part: unsuccessful exploitation also leads to
 code execution.
 Scary stuff.
 
 On 09/02/2011 05:05 PM, Mario Vilas wrote:
 Are you guys seriously reporting that double clicking on a malicious .vbs
 file could lead to remote code execution? :P

 Either I'm missing something (and I'd welcome a rebuttal here!) or you might
 as well add .exe to that list. All those extensions are already executable.

I think that they're talking about that executing a trusted vbs could
lead to the execution of malicious code.

:S

regards,
-- 
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
http://www.bonsai-sec.com/
(+54-11) 4777-3107

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread GloW - XD
but if you execute a trusted vbs, you would successfully exploit anything
wouldnt you ?
id would be like running a dll using rundll32.exe my.dll , cept a vbs :s

to me makes no sense, never has, and i know what loadlibrary does, i looked
at the implications of theyre advisories, i remember when we were swarmed by
about 100 dlls wich were not 'unloaded' rproperly... lol... ok anyhow, this
makes no sense, executing a trusted vbs is 'script' many viruses have been
named .vbs and run vb script...right? so why would we need news on this...
xd


On 3 September 2011 07:53, Nahuel Grisolia nah...@bonsai-sec.com wrote:

 List,

 On 09/02/2011 06:45 PM, root wrote:
  You don't get the worst part: unsuccessful exploitation also leads to
  code execution.
  Scary stuff.
 
  On 09/02/2011 05:05 PM, Mario Vilas wrote:
  Are you guys seriously reporting that double clicking on a malicious
 .vbs
  file could lead to remote code execution? :P
 
  Either I'm missing something (and I'd welcome a rebuttal here!) or you
 might
  as well add .exe to that list. All those extensions are already
 executable.

 I think that they're talking about that executing a trusted vbs could
 lead to the execution of malicious code.

 :S

 regards,
 --
 Nahuel Grisolia - C|EH
 Information Security Consultant
 Bonsai Information Security Project Leader
 http://www.bonsai-sec.com/
 (+54-11) 4777-3107

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread root
What you say? my trolling hampered by facts? unpossible!

On 09/02/2011 06:53 PM, Nahuel Grisolia wrote:
 List,
 
 On 09/02/2011 06:45 PM, root wrote:
 You don't get the worst part: unsuccessful exploitation also leads to
 code execution.
 Scary stuff.

 On 09/02/2011 05:05 PM, Mario Vilas wrote:
 Are you guys seriously reporting that double clicking on a malicious .vbs
 file could lead to remote code execution? :P

 Either I'm missing something (and I'd welcome a rebuttal here!) or you might
 as well add .exe to that list. All those extensions are already executable.
 
 I think that they're talking about that executing a trusted vbs could
 lead to the execution of malicious code.
 
 :S
 
 regards,

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread Valdis . Kletnieks
On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said:

 LOL.  Warning, if you get the user to execute code, then it is possible to
 get the user to execute code!!  All you have to do is get files on their
 system, and then get them to execute those files!   Note that once you get the
 user to execute the code, it will actually run in the context of that user!!
 This is remote code execution vulnerability!

 Welcome to today's Infosec!

The sad part is that this is the future of infosec as well.  Microsoft got the
security religion a few years back, and even I have to admit their current stuff
isn't that bad at all.  The various Linux distros are (slowly) getting their
acts together, and maybe even Apple and Adobe will see the light sometime
reasonably soon. Yes, there will still be software failures - but once the 
effort
of finding a new 0-day reaches a certain point, the economics change

And once that happens, social engineering will become an even bigger part of
both the attack and defense sides of infosec.  For the black hats, the cost/
benefit of looking for effective 0-day holes will continue to drop, while the
cost/benefit of phishing a user will remain steady - so that's a push towards
more social engineering. Why go to the effort of spending 3 months finding a
browser bug that allows you to push malware to the victim's machine, when you
can just spend 45 minutes creating a Your machine is infected - click here to
fix it pop-up that will catch 80% of the people?

Meanwhile, as the software gets more hardened and patching is more automated,
the white hats will find a bigger percent of their time is spent defending
their systems from attacks triggered by their own users.  Because the failure
rate of people's brains is already about 4.7*10**9 times as high as the
software failure rate, and the ratio is only getting worse - software is
improving, people aren't.

Prediction 1: 10 years from now, organized crime will be hiring cognitive
psychologists to help design more effective phish the way they currently hire
programmers to write better spambots.

Prediction 2: It ain't gonna get better till the average IQ starts going up 
faster
than the software improves.



pgp0MojC9aHat.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread Mario Vilas
If it's a trusted .vbs then how would you drop a .dll in the same directory?
If you have write permissions it's easier to just modify the .vbs.

You might as well claim the added value is to backdoor a .vbs file
subrepticiously so it doesn't show when inspecting the source code. But it
doesn't add that much, really, since a new and misterious .dll file would
also draw the attention, so it's probably easier to hide malicious intent
into the source code by obfuscating it.

On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote:

 List,

 On 09/02/2011 06:45 PM, root wrote:
  You don't get the worst part: unsuccessful exploitation also leads to
  code execution.
  Scary stuff.
 
  On 09/02/2011 05:05 PM, Mario Vilas wrote:
  Are you guys seriously reporting that double clicking on a malicious
 .vbs
  file could lead to remote code execution? :P
 
  Either I'm missing something (and I'd welcome a rebuttal here!) or you
 might
  as well add .exe to that list. All those extensions are already
 executable.

 I think that they're talking about that executing a trusted vbs could
 lead to the execution of malicious code.

 :S

 regards,
 --
 Nahuel Grisolia - C|EH
 Information Security Consultant
 Bonsai Information Security Project Leader
 http://www.bonsai-sec.com/
 (+54-11) 4777-3107

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread Mario Vilas
I disagree. If this so called vulnerability had any added value in terms
of social engineering, it would actually make sense to report it. Social
engineering isn't bad, I really don't care how leet it is. My claim is
simpler: this advisory makes no sense at all, because it replaces an easy
way of exploitation for a hard way of exploitation, so its added value is
actually *negative* for the attacker.

Most likely whoever found this is new in the infosec world and never stopped
to consider this details - he/she just blindly repeated what the dll
injection crowd was doing and posted whatever results were found, without
understanding really well what was going on.

And THAT is the state of infosec today. People who report stuff for the sake
of reporting, without really understanding how things work or why.

On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote:

 On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said:

  LOL.  Warning, if you get the user to execute code, then it is possible
 to
  get the user to execute code!!  All you have to do is get files on their
  system, and then get them to execute those files!   Note that once you
 get the
  user to execute the code, it will actually run in the context of that
 user!!
  This is remote code execution vulnerability!

  Welcome to today's Infosec!

 The sad part is that this is the future of infosec as well.  Microsoft got
 the
 security religion a few years back, and even I have to admit their current
 stuff
 isn't that bad at all.  The various Linux distros are (slowly) getting
 their
 acts together, and maybe even Apple and Adobe will see the light sometime
 reasonably soon. Yes, there will still be software failures - but once the
 effort
 of finding a new 0-day reaches a certain point, the economics change

 And once that happens, social engineering will become an even bigger part
 of
 both the attack and defense sides of infosec.  For the black hats, the
 cost/
 benefit of looking for effective 0-day holes will continue to drop, while
 the
 cost/benefit of phishing a user will remain steady - so that's a push
 towards
 more social engineering. Why go to the effort of spending 3 months finding
 a
 browser bug that allows you to push malware to the victim's machine, when
 you
 can just spend 45 minutes creating a Your machine is infected - click here
 to
 fix it pop-up that will catch 80% of the people?

 Meanwhile, as the software gets more hardened and patching is more
 automated,
 the white hats will find a bigger percent of their time is spent defending
 their systems from attacks triggered by their own users.  Because the
 failure
 rate of people's brains is already about 4.7*10**9 times as high as the
 software failure rate, and the ratio is only getting worse - software is
 improving, people aren't.

 Prediction 1: 10 years from now, organized crime will be hiring cognitive
 psychologists to help design more effective phish the way they currently
 hire
 programmers to write better spambots.

 Prediction 2: It ain't gonna get better till the average IQ starts going up
 faster
 than the software improves.




-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread GloW - XD
hi, hope you are well,

Prediction 3: Until spammers learn PROP use of english, things wont change,
the spam will still ahve speeling errors.

thats about the only thing saving some of us i think...
thats my own observation, and seems to go back to when i was phreaking
'engineering' via telephone, using att pbx cards, to act like a security
engineer at att to get more cards, wich, lasted many years... the people
who could NOT phish, and relied on the few who could, were all europeans,
wich yes now this has changed.
originally, and in general, the better use of language wich is what prevails
with most social engineering in any format and will always continue to,
however, the use of english is also nowdays becoming easier to learn, people
are becoming smarter from each failure, wich is why computers failure rate
dissolves.
Social engineering was the basis of many hackers/black or white, in some
form, many years ago... there is not much documented on it but hey, im just
yer avergae Eric jones.
Anyhow, have a good day sir, interesting topically, in 2011..
cheers,
xd




On 3 September 2011 07:46, valdis.kletni...@vt.edu wrote:

 On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said:

  LOL.  Warning, if you get the user to execute code, then it is possible
 to
  get the user to execute code!!  All you have to do is get files on their
  system, and then get them to execute those files!   Note that once you
 get the
  user to execute the code, it will actually run in the context of that
 user!!
  This is remote code execution vulnerability!

  Welcome to today's Infosec!

 The sad part is that this is the future of infosec as well.  Microsoft got
 the
 security religion a few years back, and even I have to admit their current
 stuff
 isn't that bad at all.  The various Linux distros are (slowly) getting
 their
 acts together, and maybe even Apple and Adobe will see the light sometime
 reasonably soon. Yes, there will still be software failures - but once the
 effort
 of finding a new 0-day reaches a certain point, the economics change

 And once that happens, social engineering will become an even bigger part
 of
 both the attack and defense sides of infosec.  For the black hats, the
 cost/
 benefit of looking for effective 0-day holes will continue to drop, while
 the
 cost/benefit of phishing a user will remain steady - so that's a push
 towards
 more social engineering. Why go to the effort of spending 3 months finding
 a
 browser bug that allows you to push malware to the victim's machine, when
 you
 can just spend 45 minutes creating a Your machine is infected - click here
 to
 fix it pop-up that will catch 80% of the people?

 Meanwhile, as the software gets more hardened and patching is more
 automated,
 the white hats will find a bigger percent of their time is spent defending
 their systems from attacks triggered by their own users.  Because the
 failure
 rate of people's brains is already about 4.7*10**9 times as high as the
 software failure rate, and the ratio is only getting worse - software is
 improving, people aren't.

 Prediction 1: 10 years from now, organized crime will be hiring cognitive
 psychologists to help design more effective phish the way they currently
 hire
 programmers to write better spambots.

 Prediction 2: It ain't gonna get better till the average IQ starts going up
 faster
 than the software improves.


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

2011-09-02 Thread GloW - XD
I must agree, considering i have yet to see it used in even botnet circles,
who would surely have used a decent local exploit if it was 'decent'... I
know this dll hijacking, has gone unpassed to the community in general
because of its useless ness.
I agree completely, i never have seen this actively exploited, nor part of a
decent framework where it can be used in a remote or local session
Basically, it is something to wich i read the PDF on, and thought here is
the most useless 'exploit' as it was being called , i have ever, laid eyes
on , my opinion still has yet to be changed by any factor, there could be
many factors, ie: exploitation even in the wild reported, or just someone
saying hey dont forget blah.c! , but this aint happened, nor will... hey
wanna read msdn and look and see how a lib is loaded would make more sense.
I still dont see anything 'good' in this whole fiasco of the dll hijacking.
no active code/poc. etc etc etc as i said, many factors id reconsider my
stance on...
anyhow, enjoyable topic.
xd


On 3 September 2011 11:03, Mario Vilas mvi...@gmail.com wrote:

 I disagree. If this so called vulnerability had any added value in terms
 of social engineering, it would actually make sense to report it. Social
 engineering isn't bad, I really don't care how leet it is. My claim is
 simpler: this advisory makes no sense at all, because it replaces an easy
 way of exploitation for a hard way of exploitation, so its added value is
 actually *negative* for the attacker.

 Most likely whoever found this is new in the infosec world and never
 stopped to consider this details - he/she just blindly repeated what the dll
 injection crowd was doing and posted whatever results were found, without
 understanding really well what was going on.

 And THAT is the state of infosec today. People who report stuff for the
 sake of reporting, without really understanding how things work or why.

 On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote:

 On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said:

  LOL.  Warning, if you get the user to execute code, then it is possible
 to
  get the user to execute code!!  All you have to do is get files on their
  system, and then get them to execute those files!   Note that once you
 get the
  user to execute the code, it will actually run in the context of that
 user!!
  This is remote code execution vulnerability!

  Welcome to today's Infosec!

 The sad part is that this is the future of infosec as well.  Microsoft got
 the
 security religion a few years back, and even I have to admit their current
 stuff
 isn't that bad at all.  The various Linux distros are (slowly) getting
 their
 acts together, and maybe even Apple and Adobe will see the light sometime
 reasonably soon. Yes, there will still be software failures - but once the
 effort
 of finding a new 0-day reaches a certain point, the economics change

 And once that happens, social engineering will become an even bigger part
 of
 both the attack and defense sides of infosec.  For the black hats, the
 cost/
 benefit of looking for effective 0-day holes will continue to drop, while
 the
 cost/benefit of phishing a user will remain steady - so that's a push
 towards
 more social engineering. Why go to the effort of spending 3 months finding
 a
 browser bug that allows you to push malware to the victim's machine, when
 you
 can just spend 45 minutes creating a Your machine is infected - click
 here to
 fix it pop-up that will catch 80% of the people?

 Meanwhile, as the software gets more hardened and patching is more
 automated,
 the white hats will find a bigger percent of their time is spent defending
 their systems from attacks triggered by their own users.  Because the
 failure
 rate of people's brains is already about 4.7*10**9 times as high as the
 software failure rate, and the ratio is only getting worse - software is
 improving, people aren't.

 Prediction 1: 10 years from now, organized crime will be hiring cognitive
 psychologists to help design more effective phish the way they currently
 hire
 programmers to write better spambots.

 Prediction 2: It ain't gonna get better till the average IQ starts going
 up faster
 than the software improves.




 --
 “There's a reason we separate military and the police: one fights the enemy
 of the state, the other serves and protects the people. When the military
 becomes both, then the enemies of the state tend to become the people.”


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/