subject:"\[Full\-disclosure\] Defense in depth \-\- the Microsoft way \(part 9\)\: erroneous documentation"

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

2013-09-02 Thread Stefan Kanthak

 I am truly shocked that seemingly, stuff like this needs to be said in
 the year of 2013.

Completely right!

 I'd have supposed that things like these should be known by *anyone*
 doing anything even remotely similar to software development *at least*
 since the end of the 8.3 filename era 15 years ago.

Again: completely right!

 Are you sure this is real and not a prank? o_O

This is real: see https://support.microsoft.com/kb/2781197 alias
http://technet.microsoft.com/security/bulletin/ms13-034 or
http://seclists.org/fulldisclosure/2013/May/10 for exactly this stuff.

And dont forget to read http://seclists.org/fulldisclosure/2013/Aug/75
as well as http://seclists.org/fulldisclosure/2013/May/14


Also see https://bugzilla.mozilla.org/show_bug.cgi?id=871084,
https://bugzilla.mozilla.org/show_bug.cgi?id=786407 and
https://bugzilla.mozilla.org/show_bug.cgi?id=868746 and notice
especially how a Mozilla developer tries to weazel and ignore
http://msdn.microsoft.com/ibrary/ms997548.aspx!


JFTR: Windows is the ONLY system that covers such silly beginners errors
  due to the documented idiosyncrasy of CreateProcess() (see
  http://msdn.microsoft.com/library/ms682425.aspx).


Finally take a look at the registry subkey

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

of your own Windows installation (if you have one): you'll most probably
find unquoted pathnames in UninstallString, for example:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF]
UninstallString=C:\\Program Files\\SumatraPDF\\uninstall.exe


regards
Stefan

 regards
 Pascal Ernster

[ fullquote removed ]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

2013-08-31 Thread Stefan Kanthak

Hi,

in http://seclists.org/fulldisclosure/2013/Aug/75 I documented
beginners errors (unquoted pathnames containing spaces) not only
in Microsoft products.

Microsofts developer documentation but shows these beginners errors
too (and is inconsistent, even in single topics).

Examples:

http://msdn.microsoft.com/library/cc144171.aspx

| HKEY_CLASSES_ROOT
|   txtile
...
|   Shell
...
|  cmd2
...
| command
|(Default) = C:\Program Files\Windows 
NT\Accessories\wordpad.exe %1
 
~~~ ~~

http://msdn.microsoft.com/library/bb165967.aspx

| [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
| @=C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe 
\%1\
 
| [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
| @=\C:\\Program Files\\Common Files\\Microsoft 
Shared\\MSEnv\\VSLauncher.exe\ \%1\


http://msdn.microsoft.com/library/cc144083.aspx

| HKEY_LOCAL_MACHINE
|   SOFTWARE
|  Classes
| contoso-search
|shell
|   open
|  command
| (Default) = 
%ProgramFiles%\Contoso\Search\contososearch.exe %1
   
~~~ ~~

http://msdn.microsoft.com/library/cc144154.aspx

| HKEY_LOCAL_MACHINE
|   SOFTWARE
|  Classes
| LitwarePlayer11.AssocFile
...
|shell
|   open
|  command
| (Default) = %ProgramFiles%\Litware\litware.exe
  ~~

http://msdn.microsoft.com/library/hh127450.aspx

| HKEY_CLASSES_ROOT
|   CLSID
|  {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
| Shell
|Open
|   Command
|  (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe 
/Settings
   ~~~


http://msdn.microsoft.com/library/cc144188.aspx

| sh:task id={3B75A7AE-C4E4-4E5A-9420-7CECCDA75425} 
|!-- This is a generated GUID, specific to this task link --
|sh:name@myTextResources.dll,-100/sh:name
|sh:keywords@myTextResources.dll,-101/sh:keywords
|sh:command%ProgramFiles%\Microsoft 
Games\Solitaire\solitaire.exe/sh:command
 ~~
| /sh:task


Example with ambiguous/inconsistent use of quotes:

http://msdn.microsoft.com/en-us/library/aa767914.aspx

| HKEY_CLASSES_ROOT
|   alert
|  (Default) = URL:Alert Protocol
   ^  ^
|  URL Protocol = 
  ^^
|  DefaultIcon
| (Default) = alert.exe,1
  ^   ^
|  shell
| open
|command
|   (Default) = C:\Program Files\Alert\alert.exe %1


Counterexamples:

http://msdn.microsoft.com/library/cc144175.aspx
http://msdn.microsoft.com/library/cc144101.aspx

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| My Program.exe starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as %1 that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.


http://msdn.microsoft.com/library/dd203067.aspx
http://msdn.microsoft.com/library/cc144109.aspx


regards
Stefan Kanthak

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

2013-08-31 Thread hardfalcon

I am truly shocked that seemingly, stuff like this needs to be said in
the year of 2013. I'd have supposed that things like these should be
known by *anyone* doing anything even remotely similar to software
development *at least* since the end of the 8.3 filename era 15 years
ago. Are you sure this is real and not a prank? o_O

regards
Pascal Ernster


On 31.08.2013 12:58, Stefan Kanthak wrote:
 Hi,

 in http://seclists.org/fulldisclosure/2013/Aug/75 I documented
 beginners errors (unquoted pathnames containing spaces) not only
 in Microsoft products.

 Microsofts developer documentation but shows these beginners errors
 too (and is inconsistent, even in single topics).

 Examples:

 http://msdn.microsoft.com/library/cc144171.aspx

 | HKEY_CLASSES_ROOT
 |   txtile
 ...
 |   Shell
 ...
 |  cmd2
 ...
 | command
 |(Default) = C:\Program Files\Windows 
 NT\Accessories\wordpad.exe %1
  
 ~~~ ~~

 http://msdn.microsoft.com/library/bb165967.aspx

 | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
 | @=C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe 
 \%1\
  
 | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
 | @=\C:\\Program Files\\Common Files\\Microsoft 
 Shared\\MSEnv\\VSLauncher.exe\ \%1\


 http://msdn.microsoft.com/library/cc144083.aspx

 | HKEY_LOCAL_MACHINE
 |   SOFTWARE
 |  Classes
 | contoso-search
 |shell
 |   open
 |  command
 | (Default) = 
 %ProgramFiles%\Contoso\Search\contososearch.exe %1

 ~~~ ~~

 http://msdn.microsoft.com/library/cc144154.aspx

 | HKEY_LOCAL_MACHINE
 |   SOFTWARE
 |  Classes
 | LitwarePlayer11.AssocFile
 ...
 |shell
 |   open
 |  command
 | (Default) = %ProgramFiles%\Litware\litware.exe
   ~~

 http://msdn.microsoft.com/library/hh127450.aspx

 | HKEY_CLASSES_ROOT
 |   CLSID
 |  {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
 | Shell
 |Open
 |   Command
 |  (Default) = [REG_EXPAND_SZ] 
 %ProgramFiles%\MyCorp\MyApp.exe /Settings
~~~


 http://msdn.microsoft.com/library/cc144188.aspx

 | sh:task id={3B75A7AE-C4E4-4E5A-9420-7CECCDA75425} 
 |!-- This is a generated GUID, specific to this task link --
 |sh:name@myTextResources.dll,-100/sh:name
 |sh:keywords@myTextResources.dll,-101/sh:keywords
 |sh:command%ProgramFiles%\Microsoft 
 Games\Solitaire\solitaire.exe/sh:command
  ~~
 | /sh:task


 Example with ambiguous/inconsistent use of quotes:

 http://msdn.microsoft.com/en-us/library/aa767914.aspx

 | HKEY_CLASSES_ROOT
 |   alert
 |  (Default) = URL:Alert Protocol
^  ^
 |  URL Protocol = 
   ^^
 |  DefaultIcon
 | (Default) = alert.exe,1
   ^   ^
 |  shell
 | open
 |command
 |   (Default) = C:\Program Files\Alert\alert.exe %1


 Counterexamples:

 http://msdn.microsoft.com/library/cc144175.aspx
 http://msdn.microsoft.com/library/cc144101.aspx

 | Note: If any element of the command string contains or might contain
 | spaces, it must be enclosed in quotation marks. Otherwise, if the
 | element contains a space, it will not parse correctly. For instance,
 | My Program.exe starts the application properly. If you use
 | My Program.exe without quotation marks, then the system attempts to
 | launch My with Program.exe as its first command line argument. You
 | should always use quotation marks with arguments such as %1 that are
 | expanded to strings by the Shell, because you cannot be certain that
 | the string will not contain a space.


 http://msdn.microsoft.com/library/dd203067.aspx
 http://msdn.microsoft.com/library/cc144109.aspx


 regards
 Stefan Kanthak

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

2013-08-31 Thread adam

I'm on the same page as Pascal, what is the point of this? The part
that really stands out for me is how Microsoft is being singled out
here. If it's about their documentation, then it's not really about a
vulnerability. If it's NOT about their documentation, then you'd be
hard pressed to find a platform that _doesn't_ work this way.

On Sat, Aug 31, 2013 at 8:37 AM,  hardfal...@hardfalcon.net wrote:
 I am truly shocked that seemingly, stuff like this needs to be said in
 the year of 2013. I'd have supposed that things like these should be
 known by *anyone* doing anything even remotely similar to software
 development *at least* since the end of the 8.3 filename era 15 years
 ago. Are you sure this is real and not a prank? o_O

 regards
 Pascal Ernster


 On 31.08.2013 12:58, Stefan Kanthak wrote:
 Hi,

 in http://seclists.org/fulldisclosure/2013/Aug/75 I documented
 beginners errors (unquoted pathnames containing spaces) not only
 in Microsoft products.

 Microsofts developer documentation but shows these beginners errors
 too (and is inconsistent, even in single topics).

 Examples:

 http://msdn.microsoft.com/library/cc144171.aspx

 | HKEY_CLASSES_ROOT
 |   txtile
 ...
 |   Shell
 ...
 |  cmd2
 ...
 | command
 |(Default) = C:\Program Files\Windows 
 NT\Accessories\wordpad.exe %1
  
 ~~~ ~~

 http://msdn.microsoft.com/library/bb165967.aspx

 | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
 | @=C:\\Program Files\\Common Files\\Microsoft 
 Shared\\MSEnv\\VSLauncher.exe \%1\
  
 | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
 | @=\C:\\Program Files\\Common Files\\Microsoft 
 Shared\\MSEnv\\VSLauncher.exe\ \%1\


 http://msdn.microsoft.com/library/cc144083.aspx

 | HKEY_LOCAL_MACHINE
 |   SOFTWARE
 |  Classes
 | contoso-search
 |shell
 |   open
 |  command
 | (Default) = 
 %ProgramFiles%\Contoso\Search\contososearch.exe %1

 ~~~ ~~

 http://msdn.microsoft.com/library/cc144154.aspx

 | HKEY_LOCAL_MACHINE
 |   SOFTWARE
 |  Classes
 | LitwarePlayer11.AssocFile
 ...
 |shell
 |   open
 |  command
 | (Default) = %ProgramFiles%\Litware\litware.exe
   ~~

 http://msdn.microsoft.com/library/hh127450.aspx

 | HKEY_CLASSES_ROOT
 |   CLSID
 |  {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
 | Shell
 |Open
 |   Command
 |  (Default) = [REG_EXPAND_SZ] 
 %ProgramFiles%\MyCorp\MyApp.exe /Settings

 ~~~


 http://msdn.microsoft.com/library/cc144188.aspx

 | sh:task id={3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}
 |!-- This is a generated GUID, specific to this task link --
 |sh:name@myTextResources.dll,-100/sh:name
 |sh:keywords@myTextResources.dll,-101/sh:keywords
 |sh:command%ProgramFiles%\Microsoft 
 Games\Solitaire\solitaire.exe/sh:command
  ~~
 | /sh:task


 Example with ambiguous/inconsistent use of quotes:

 http://msdn.microsoft.com/en-us/library/aa767914.aspx

 | HKEY_CLASSES_ROOT
 |   alert
 |  (Default) = URL:Alert Protocol
^  ^
 |  URL Protocol = 
   ^^
 |  DefaultIcon
 | (Default) = alert.exe,1
   ^   ^
 |  shell
 | open
 |command
 |   (Default) = C:\Program Files\Alert\alert.exe %1


 Counterexamples:

 http://msdn.microsoft.com/library/cc144175.aspx
 http://msdn.microsoft.com/library/cc144101.aspx

 | Note: If any element of the command string contains or might contain
 | spaces, it must be enclosed in quotation marks. Otherwise, if the
 | element contains a space, it will not parse correctly. For instance,
 | My Program.exe starts the application properly. If you use
 | My Program.exe without quotation marks, then the system attempts to
 | launch My with Program.exe as its first command line argument. You
 | should always use quotation marks with arguments such as %1 that are
 | expanded to strings by the Shell, because you cannot be certain that
 | the string will not contain a space.


 http://msdn.microsoft.com/library/dd203067.aspx
 http://msdn.microsoft.com/library/cc144109.aspx


 regards
 Stefan Kanthak

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

[Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

4 matches

Site Navigation

Mail list logo

Footer information