Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation
I am truly shocked that seemingly, stuff like this needs to be said in the year of 2013. Completely right! I'd have supposed that things like these should be known by *anyone* doing anything even remotely similar to software development *at least* since the end of the 8.3 filename era 15 years ago. Again: completely right! Are you sure this is real and not a prank? o_O This is real: see https://support.microsoft.com/kb/2781197 alias http://technet.microsoft.com/security/bulletin/ms13-034 or http://seclists.org/fulldisclosure/2013/May/10 for exactly this stuff. And dont forget to read http://seclists.org/fulldisclosure/2013/Aug/75 as well as http://seclists.org/fulldisclosure/2013/May/14 Also see https://bugzilla.mozilla.org/show_bug.cgi?id=871084, https://bugzilla.mozilla.org/show_bug.cgi?id=786407 and https://bugzilla.mozilla.org/show_bug.cgi?id=868746 and notice especially how a Mozilla developer tries to weazel and ignore http://msdn.microsoft.com/ibrary/ms997548.aspx! JFTR: Windows is the ONLY system that covers such silly beginners errors due to the documented idiosyncrasy of CreateProcess() (see http://msdn.microsoft.com/library/ms682425.aspx). Finally take a look at the registry subkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] of your own Windows installation (if you have one): you'll most probably find unquoted pathnames in UninstallString, for example: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF] UninstallString=C:\\Program Files\\SumatraPDF\\uninstall.exe regards Stefan regards Pascal Ernster [ fullquote removed ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation
Hi, in http://seclists.org/fulldisclosure/2013/Aug/75 I documented beginners errors (unquoted pathnames containing spaces) not only in Microsoft products. Microsofts developer documentation but shows these beginners errors too (and is inconsistent, even in single topics). Examples: http://msdn.microsoft.com/library/cc144171.aspx | HKEY_CLASSES_ROOT | txtile ... | Shell ... | cmd2 ... | command |(Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1 ~~~ ~~ http://msdn.microsoft.com/library/bb165967.aspx | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command] | @=C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \%1\ | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command] | @=\C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\ \%1\ http://msdn.microsoft.com/library/cc144083.aspx | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | contoso-search |shell | open | command | (Default) = %ProgramFiles%\Contoso\Search\contososearch.exe %1 ~~~ ~~ http://msdn.microsoft.com/library/cc144154.aspx | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | LitwarePlayer11.AssocFile ... |shell | open | command | (Default) = %ProgramFiles%\Litware\litware.exe ~~ http://msdn.microsoft.com/library/hh127450.aspx | HKEY_CLASSES_ROOT | CLSID | {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40} | Shell |Open | Command | (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings ~~~ http://msdn.microsoft.com/library/cc144188.aspx | sh:task id={3B75A7AE-C4E4-4E5A-9420-7CECCDA75425} |!-- This is a generated GUID, specific to this task link -- |sh:name@myTextResources.dll,-100/sh:name |sh:keywords@myTextResources.dll,-101/sh:keywords |sh:command%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe/sh:command ~~ | /sh:task Example with ambiguous/inconsistent use of quotes: http://msdn.microsoft.com/en-us/library/aa767914.aspx | HKEY_CLASSES_ROOT | alert | (Default) = URL:Alert Protocol ^ ^ | URL Protocol = ^^ | DefaultIcon | (Default) = alert.exe,1 ^ ^ | shell | open |command | (Default) = C:\Program Files\Alert\alert.exe %1 Counterexamples: http://msdn.microsoft.com/library/cc144175.aspx http://msdn.microsoft.com/library/cc144101.aspx | Note: If any element of the command string contains or might contain | spaces, it must be enclosed in quotation marks. Otherwise, if the | element contains a space, it will not parse correctly. For instance, | My Program.exe starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. You | should always use quotation marks with arguments such as %1 that are | expanded to strings by the Shell, because you cannot be certain that | the string will not contain a space. http://msdn.microsoft.com/library/dd203067.aspx http://msdn.microsoft.com/library/cc144109.aspx regards Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation
I am truly shocked that seemingly, stuff like this needs to be said in the year of 2013. I'd have supposed that things like these should be known by *anyone* doing anything even remotely similar to software development *at least* since the end of the 8.3 filename era 15 years ago. Are you sure this is real and not a prank? o_O regards Pascal Ernster On 31.08.2013 12:58, Stefan Kanthak wrote: Hi, in http://seclists.org/fulldisclosure/2013/Aug/75 I documented beginners errors (unquoted pathnames containing spaces) not only in Microsoft products. Microsofts developer documentation but shows these beginners errors too (and is inconsistent, even in single topics). Examples: http://msdn.microsoft.com/library/cc144171.aspx | HKEY_CLASSES_ROOT | txtile ... | Shell ... | cmd2 ... | command |(Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1 ~~~ ~~ http://msdn.microsoft.com/library/bb165967.aspx | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command] | @=C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \%1\ | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command] | @=\C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\ \%1\ http://msdn.microsoft.com/library/cc144083.aspx | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | contoso-search |shell | open | command | (Default) = %ProgramFiles%\Contoso\Search\contososearch.exe %1 ~~~ ~~ http://msdn.microsoft.com/library/cc144154.aspx | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | LitwarePlayer11.AssocFile ... |shell | open | command | (Default) = %ProgramFiles%\Litware\litware.exe ~~ http://msdn.microsoft.com/library/hh127450.aspx | HKEY_CLASSES_ROOT | CLSID | {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40} | Shell |Open | Command | (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings ~~~ http://msdn.microsoft.com/library/cc144188.aspx | sh:task id={3B75A7AE-C4E4-4E5A-9420-7CECCDA75425} |!-- This is a generated GUID, specific to this task link -- |sh:name@myTextResources.dll,-100/sh:name |sh:keywords@myTextResources.dll,-101/sh:keywords |sh:command%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe/sh:command ~~ | /sh:task Example with ambiguous/inconsistent use of quotes: http://msdn.microsoft.com/en-us/library/aa767914.aspx | HKEY_CLASSES_ROOT | alert | (Default) = URL:Alert Protocol ^ ^ | URL Protocol = ^^ | DefaultIcon | (Default) = alert.exe,1 ^ ^ | shell | open |command | (Default) = C:\Program Files\Alert\alert.exe %1 Counterexamples: http://msdn.microsoft.com/library/cc144175.aspx http://msdn.microsoft.com/library/cc144101.aspx | Note: If any element of the command string contains or might contain | spaces, it must be enclosed in quotation marks. Otherwise, if the | element contains a space, it will not parse correctly. For instance, | My Program.exe starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. You | should always use quotation marks with arguments such as %1 that are | expanded to strings by the Shell, because you cannot be certain that | the string will not contain a space. http://msdn.microsoft.com/library/dd203067.aspx http://msdn.microsoft.com/library/cc144109.aspx regards Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation
I'm on the same page as Pascal, what is the point of this? The part that really stands out for me is how Microsoft is being singled out here. If it's about their documentation, then it's not really about a vulnerability. If it's NOT about their documentation, then you'd be hard pressed to find a platform that _doesn't_ work this way. On Sat, Aug 31, 2013 at 8:37 AM, hardfal...@hardfalcon.net wrote: I am truly shocked that seemingly, stuff like this needs to be said in the year of 2013. I'd have supposed that things like these should be known by *anyone* doing anything even remotely similar to software development *at least* since the end of the 8.3 filename era 15 years ago. Are you sure this is real and not a prank? o_O regards Pascal Ernster On 31.08.2013 12:58, Stefan Kanthak wrote: Hi, in http://seclists.org/fulldisclosure/2013/Aug/75 I documented beginners errors (unquoted pathnames containing spaces) not only in Microsoft products. Microsofts developer documentation but shows these beginners errors too (and is inconsistent, even in single topics). Examples: http://msdn.microsoft.com/library/cc144171.aspx | HKEY_CLASSES_ROOT | txtile ... | Shell ... | cmd2 ... | command |(Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1 ~~~ ~~ http://msdn.microsoft.com/library/bb165967.aspx | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command] | @=C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \%1\ | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command] | @=\C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\ \%1\ http://msdn.microsoft.com/library/cc144083.aspx | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | contoso-search |shell | open | command | (Default) = %ProgramFiles%\Contoso\Search\contososearch.exe %1 ~~~ ~~ http://msdn.microsoft.com/library/cc144154.aspx | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | LitwarePlayer11.AssocFile ... |shell | open | command | (Default) = %ProgramFiles%\Litware\litware.exe ~~ http://msdn.microsoft.com/library/hh127450.aspx | HKEY_CLASSES_ROOT | CLSID | {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40} | Shell |Open | Command | (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings ~~~ http://msdn.microsoft.com/library/cc144188.aspx | sh:task id={3B75A7AE-C4E4-4E5A-9420-7CECCDA75425} |!-- This is a generated GUID, specific to this task link -- |sh:name@myTextResources.dll,-100/sh:name |sh:keywords@myTextResources.dll,-101/sh:keywords |sh:command%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe/sh:command ~~ | /sh:task Example with ambiguous/inconsistent use of quotes: http://msdn.microsoft.com/en-us/library/aa767914.aspx | HKEY_CLASSES_ROOT | alert | (Default) = URL:Alert Protocol ^ ^ | URL Protocol = ^^ | DefaultIcon | (Default) = alert.exe,1 ^ ^ | shell | open |command | (Default) = C:\Program Files\Alert\alert.exe %1 Counterexamples: http://msdn.microsoft.com/library/cc144175.aspx http://msdn.microsoft.com/library/cc144101.aspx | Note: If any element of the command string contains or might contain | spaces, it must be enclosed in quotation marks. Otherwise, if the | element contains a space, it will not parse correctly. For instance, | My Program.exe starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. You | should always use quotation marks with arguments such as %1 that are | expanded to strings by the Shell, because you cannot be certain that | the string will not contain a space. http://msdn.microsoft.com/library/dd203067.aspx http://msdn.microsoft.com/library/cc144109.aspx regards Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/