Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> Isn't *any* mechanism for code execution going to be effective with the use > of social engineering? I mean, isn't that what we've known for years, that > the weakest component of any security system is the users? Yes, we know. Don't get us wrong. We're not telling Social Engineering. We're telling about Social Engineering Toolkit (SET) - http://www.offensive-security.com/metasploit-unleashed/SET What we mean is DLL Hijacking added a way to deliver payload to entice users to execute it. We've already drawn attention to SET authors and see how they will leverage this issue. On Mon, Sep 13, 2010 at 9:59 PM, Rohit Patnaik wrote: >>DLL Hijacking is highly effective in combination with use of Social >> Engineering Toolkit. > -- Rohit Patnaik > > On Wed, Sep 8, 2010 at 3:36 AM, YGN Ethical Hacker Group > wrote: >> >> A vulnerability is a vulnerability. >> A SQL Injection is a type of Vulnerability. >> For each type of Vulnerability, there will be thousands of web >> applications that might be vulnerable to it. >> DLL Hijacking is same. >> >> We do each post rather than a list so that security vulnerability news >> site can get required detailed information >> as possible. >> >> If you don't want it, set filter for each post subject with "DLL >> Hijacking" or from our email. >> >> We can't underestimate such an easy flaw that leads to system >> compromise or command execution under user' privilege. >> >> Disabling remote share/WebDav is not a solution to DLL Hijacking at all. >> >> DLL Hijacking is highly effective in combination with the use of >> Social Engineering Toolkit. >> >> >> >> >> On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras >> wrote: >> > I'm getting a bit tired of throwing away these "security advisories". >> > >> > Really, someone should install a whole load of popular applications, >> > ensure >> > any of them load their own files, and finally, thanks to a mass >> > dependency >> > check, ensure DWM is being loaded at runtime. >> > >> > At least, it would be just one email/thread to trash. >> > >> > >> > >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
>DLL Hijacking is highly effective in combination with use of Social Engineering Toolkit. Isn't *any* mechanism for code execution going to be effective with the use of social engineering? I mean, isn't that what we've known for years, that the weakest component of any security system is the users? -- Rohit Patnaik On Wed, Sep 8, 2010 at 3:36 AM, YGN Ethical Hacker Group wrote: > A vulnerability is a vulnerability. > A SQL Injection is a type of Vulnerability. > For each type of Vulnerability, there will be thousands of web > applications that might be vulnerable to it. > DLL Hijacking is same. > > We do each post rather than a list so that security vulnerability news > site can get required detailed information > as possible. > > If you don't want it, set filter for each post subject with "DLL > Hijacking" or from our email. > > We can't underestimate such an easy flaw that leads to system > compromise or command execution under user' privilege. > > Disabling remote share/WebDav is not a solution to DLL Hijacking at all. > > DLL Hijacking is highly effective in combination with the use of > Social Engineering Toolkit. > > > > > On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras > wrote: > > I'm getting a bit tired of throwing away these "security advisories". > > > > Really, someone should install a whole load of popular applications, > ensure > > any of them load their own files, and finally, thanks to a mass > dependency > > check, ensure DWM is being loaded at runtime. > > > > At least, it would be just one email/thread to trash. > > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Christian Sciberras wrote: > I can't take THAT seriously. At least not all of it. > > The part that interested me most: > >> 4. Should I find such vulnerability in many applications as I can? >> >> You should not. It's just a waste of time and your energy. Focus on most >> popular application types/classes. > > If, say, DWM.dll is exploitable, why not point *that* out rather than > point out the many applications that are using it (wrongly)? ANY DLL is/may be exploitable when referenced without its (often well-known) complete pathname. It IS necessary to name all the applications with unqualified references and to have them fixed by their authors/vendors. And there are MANY places where DLLs or EXEs are referenced, not just in binaries: the registry, DESKTOP.INI files (especially in the start menu and %ProgramFiles%), batch files (do you reference CMD.EXE always as %SystemRoot%\System32\CMD.EXE? No? It really doesn't hurt!), scripts (including AUTORUN.INF.-), ... Stefan > Oh, and the "report". For obvious reasons, I cannot include the full > report. If I missed passing any detail, just ask and I'll fix right > away. > > http://img189.imageshack.us/img189/4801/31998033.png > > > On Thu, Sep 9, 2010 at 8:10 PM, YGN Ethical Hacker Group > wrote: >> Hi Christian >> >> The reason I use "Clean" doesn't mean (or I'm not accusing) your >> Windows is infected. >> It's better to test DLL Hijacking in Clean Copy of Windows without any >> prior applications messup. >> >> Please take a look at >> http://core.yehg.net/lab/pr0js/texts/when_testing_for_dll_hijacking.txt >> >> We thank ACROS Security for bringing life to this issue. >> We'll take social responsibility as a security community to stop this >> issue as much as we could. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> If, say, DWM.dll is exploitable, why not point *that* out rather than > point out the many applications that are using it (wrongly)? > As I might have said in earlier mail, I have to do this so that vulnerability news site such as secunia , securiteam authors can get enough information for each application. Most of them do it automatically. They can't process vulnerability posts like "Multiple Vulnerabilities". They have to extract each item. If you take a look at OSVDB, they will put each item of vulnerability that belongs to each item. DLL Hijack posts are not to spam but to be served for that purpose. You should filter it. Everybody thinks that their ideas, actions, thinkings are right. And everyone has his pride and ego. You can never control someone's way of doing. You can just tell it, watch it or ignore it. You can block all DLL Hijack posts if you 0wn this list. Thanks for your patience. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Hi Christian The reason I use "Clean" doesn't mean (or I'm not accusing) your Windows is infected. It's better to test DLL Hijacking in Clean Copy of Windows without any prior applications messup. Please take a look at http://core.yehg.net/lab/pr0js/texts/when_testing_for_dll_hijacking.txt We thank ACROS Security for bringing life to this issue. We'll take social responsibility as a security community to stop this issue as much as we could. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
I can't take THAT seriously. At least not all of it. The part that interested me most: > 4. Should I find such vulnerability in many applications as I can? > > You should not. It's just a waste of time and your energy. Focus on most > popular application types/classes. If, say, DWM.dll is exploitable, why not point *that* out rather than point out the many applications that are using it (wrongly)? Oh, and the "report". For obvious reasons, I cannot include the full report. If I missed passing any detail, just ask and I'll fix right away. http://img189.imageshack.us/img189/4801/31998033.png On Thu, Sep 9, 2010 at 8:10 PM, YGN Ethical Hacker Group wrote: > Hi Christian > > The reason I use "Clean" doesn't mean (or I'm not accusing) your > Windows is infected. > It's better to test DLL Hijacking in Clean Copy of Windows without any > prior applications messup. > > Please take a look at > http://core.yehg.net/lab/pr0js/texts/when_testing_for_dll_hijacking.txt > > We thank ACROS Security for bringing life to this issue. > We'll take social responsibility as a security community to stop this > issue as much as we could. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
* replace my later "possible" with "dll" (to hell with distractions!) Cheers, Chris. On Thu, Sep 9, 2010 at 12:52 PM, Christian Sciberras wrote: >> Bwt, you can simply turn our Internet-based test into an intranet or local >> test by >> copying the files to your local share or a folder on your computer and >> double-click >> the .wab file from there. The usual caution with runnning code from unknown >> sources >> applies, of course. > > I did better, I wrote my own test, which just like your test, it > failed proving the vulnerability. > The only difference was that I knew what was going wrong and tried to > get it to work in all ways possible; > it only seemed to work when the right possible wasn't anywhere near > the running executable (or system directories). > > Unless the whole point of the vulnerability was to exploit non-existent dlls?? > >> Can you please send the Process Monitor log for this case? We'll be happy to >> look >> into your case. > > Sure, fine by me. > > > Regards, > Chris. > > > > On Thu, Sep 9, 2010 at 12:32 PM, Mitja Kolsek > wrote: >> Hi Chris, >> >>> Considering Acros highlighted how their POC was highly >>> unstable (they've frequently advised to try the program >>> several times to get it to work) I don't see such abnormal >>> behaviour out of this world. >> >> Indeed, we're seeing problems with accessing (any) remote WebDAV shares from >> various >> Windows computers, while it works just great on others. Based on network >> monitoring, >> it doesn't seem to be the problem with the server though, but rather with >> occasionaly >> unreliable support for WebDAV folders in Windows. We're looking for possible >> causes >> and especially for workarounds that could improve the reliability. >> >> We'll appreciate your feedback - tell us how it worked or didn't work for >> you. It's a >> chance for us all to learn something new. >> >> Bwt, you can simply turn our Internet-based test into an intranet or local >> test by >> copying the files to your local share or a folder on your computer and >> double-click >> the .wab file from there. The usual caution with runnning code from unknown >> sources >> applies, of course. >> >>> One last thing, rather than just running a random POC I've >>> actually looked into what's going on, via Process Monitor, >>> and as far as it's concerned, it always loaded the correct >>> (ie, the original) dlls. >> >> Can you please send the Process Monitor log for this case? We'll be happy to >> look >> into your case. >> >> Cheers, >> >> Mitja Kolsek >> CEO&CTO >> >> ACROS, d.o.o. >> Makedonska ulica 113 >> SI - 2000 Maribor, Slovenia >> tel: +386 2 3000 280 >> fax: +386 2 3000 282 >> web: http://www.acrossecurity.com >> >> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do >> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> Bwt, you can simply turn our Internet-based test into an intranet or local > test by > copying the files to your local share or a folder on your computer and > double-click > the .wab file from there. The usual caution with runnning code from unknown > sources > applies, of course. I did better, I wrote my own test, which just like your test, it failed proving the vulnerability. The only difference was that I knew what was going wrong and tried to get it to work in all ways possible; it only seemed to work when the right possible wasn't anywhere near the running executable (or system directories). Unless the whole point of the vulnerability was to exploit non-existent dlls?? > Can you please send the Process Monitor log for this case? We'll be happy to > look > into your case. Sure, fine by me. Regards, Chris. On Thu, Sep 9, 2010 at 12:32 PM, Mitja Kolsek wrote: > Hi Chris, > >> Considering Acros highlighted how their POC was highly >> unstable (they've frequently advised to try the program >> several times to get it to work) I don't see such abnormal >> behaviour out of this world. > > Indeed, we're seeing problems with accessing (any) remote WebDAV shares from > various > Windows computers, while it works just great on others. Based on network > monitoring, > it doesn't seem to be the problem with the server though, but rather with > occasionaly > unreliable support for WebDAV folders in Windows. We're looking for possible > causes > and especially for workarounds that could improve the reliability. > > We'll appreciate your feedback - tell us how it worked or didn't work for > you. It's a > chance for us all to learn something new. > > Bwt, you can simply turn our Internet-based test into an intranet or local > test by > copying the files to your local share or a folder on your computer and > double-click > the .wab file from there. The usual caution with runnning code from unknown > sources > applies, of course. > >> One last thing, rather than just running a random POC I've >> actually looked into what's going on, via Process Monitor, >> and as far as it's concerned, it always loaded the correct >> (ie, the original) dlls. > > Can you please send the Process Monitor log for this case? We'll be happy to > look > into your case. > > Cheers, > > Mitja Kolsek > CEO&CTO > > ACROS, d.o.o. > Makedonska ulica 113 > SI - 2000 Maribor, Slovenia > tel: +386 2 3000 280 > fax: +386 2 3000 282 > web: http://www.acrossecurity.com > > ACROS Security: Finding Your Digital Vulnerabilities Before Others Do > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Hi Chris, > Considering Acros highlighted how their POC was highly > unstable (they've frequently advised to try the program > several times to get it to work) I don't see such abnormal > behaviour out of this world. Indeed, we're seeing problems with accessing (any) remote WebDAV shares from various Windows computers, while it works just great on others. Based on network monitoring, it doesn't seem to be the problem with the server though, but rather with occasionaly unreliable support for WebDAV folders in Windows. We're looking for possible causes and especially for workarounds that could improve the reliability. We'll appreciate your feedback - tell us how it worked or didn't work for you. It's a chance for us all to learn something new. Bwt, you can simply turn our Internet-based test into an intranet or local test by copying the files to your local share or a folder on your computer and double-click the .wab file from there. The usual caution with runnning code from unknown sources applies, of course. > One last thing, rather than just running a random POC I've > actually looked into what's going on, via Process Monitor, > and as far as it's concerned, it always loaded the correct > (ie, the original) dlls. Can you please send the Process Monitor log for this case? We'll be happy to look into your case. Cheers, Mitja Kolsek CEO&CTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit > > with latest windows updates applied (as of Today -sept 09 2010). > Could be a virus/trojan from my XP machine might have caused some form > of immunity against this issue? > And perhaps my extensive meddling and customization somehow modify the > Windows 7 install beyond normal limits? > I very much doubt this. I used both bitness demos for what it's worth. > I can confirm the demo worked as expected; first shot on an up-to-date auto-patched win7 box. That said, I did a quick search to see if I had a local copy of wab32res.dll (dunno what the dll in the subject line is about, the DLL in question is wab32res.dll), and I did not. I wrote a quick DLL with a simple MessageBoxA() into the Windows directory and tested it again and got a pop up informing me I am about to import an address book (versus their lolhacked popup). If I had to take a stab at it, judging by this comment: > One last thing, rather than just running a random POC I've actually > looked into what's going on, via Process Monitor, and as far as it's > concerned, it always loaded the correct (ie, the original) dlls. my guess would be that one of you has a copy of the DLL in the DLL search path (which *doesnt* include . until the second to last stage by default), and one of you does not. ..De asini vmbra disceptare. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> I've tested on Clean Licensed Windows 7 Professional Edition 64-bit > with latest windows updates applied (as of Today -sept 09 2010). Could be a virus/trojan from my XP machine might have caused some form of immunity against this issue? And perhaps my extensive meddling and customization somehow modify the Windows 7 install beyond normal limits? I very much doubt this. I used both bitness demos for what it's worth. > Should I make movie to prove that like Up till step 2 everything went fine. Step 3 went a little differently - wab.exe opened, but no popup box opened with it. Considering Acros highlighted how their POC was highly unstable (they've frequently advised to try the program several times to get it to work) I don't see such abnormal behaviour out of this world. One last thing, rather than just running a random POC I've actually looked into what's going on, via Process Monitor, and as far as it's concerned, it always loaded the correct (ie, the original) dlls. Cheers, Chris. On Thu, Sep 9, 2010 at 7:40 AM, YGN Ethical Hacker Group wrote: > I must say I can't take your word according to my testing. > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit > with latest windows updates applied (as of Today -sept 09 2010). I > used Acros Security's 64 bit demo. > > Should I make movie to prove that like > 1- Updating Windows (check for updates) , > 2 - Go to \\www.binaryplanting.com\demo\windows_address_book_64 > 3 - See the popup box > > ? > > > > > > > > On Thu, Sep 9, 2010 at 7:44 AM, Christian Sciberras wrote: >> That is what others said, yet it installed automatically on mine. >> The only interaction was that I allowed it to be downloaded and >> installednot really geeky at all... >> >> I must say you'll have to take my word on it. >> >> >> >> >> On Thu, Sep 9, 2010 at 1:36 AM, wrote: >>> Christian Sciberras wrote: >>> >> MS issued a patch quite some time ago. http://support.microsoft.com/kb/2264107 >>> >>> That is not a "patch", not installed by default: is only for >>> uber-geeks who manually install it. Was issued a week ago, in >>> response to this kerfuffle, not "quite some time ago". >>> >>> Which setting of CWDIllegalInDllSearch did you choose: was it >>> 0x which may be "safe", but is known to break Outlook >>> (and others), as noted in >>> >>> DLL hijacking vulnerabilities >>> http://isc.sans.edu/diary.html?storyid=9445 >>> >>> (geeks can add further tweaks to the registry to fix). >>> >>> Cheers, Paul >>> >>> Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ >>> School of Mathematics and Statistics University of Sydney Australia >>> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
I must say I can't take your word according to my testing. I've tested on Clean Licensed Windows 7 Professional Edition 64-bit with latest windows updates applied (as of Today -sept 09 2010). I used Acros Security's 64 bit demo. Should I make movie to prove that like 1- Updating Windows (check for updates) , 2 - Go to \\www.binaryplanting.com\demo\windows_address_book_64 3 - See the popup box ? On Thu, Sep 9, 2010 at 7:44 AM, Christian Sciberras wrote: > That is what others said, yet it installed automatically on mine. > The only interaction was that I allowed it to be downloaded and > installednot really geeky at all... > > I must say you'll have to take my word on it. > > > > > On Thu, Sep 9, 2010 at 1:36 AM, wrote: >> Christian Sciberras wrote: >> > MS issued a patch quite some time ago. >>> http://support.microsoft.com/kb/2264107 >> >> That is not a "patch", not installed by default: is only for >> uber-geeks who manually install it. Was issued a week ago, in >> response to this kerfuffle, not "quite some time ago". >> >> Which setting of CWDIllegalInDllSearch did you choose: was it >> 0x which may be "safe", but is known to break Outlook >> (and others), as noted in >> >> DLL hijacking vulnerabilities >> http://isc.sans.edu/diary.html?storyid=9445 >> >> (geeks can add further tweaks to the registry to fix). >> >> Cheers, Paul >> >> Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ >> School of Mathematics and Statistics University of Sydney Australia >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
That is what others said, yet it installed automatically on mine. The only interaction was that I allowed it to be downloaded and installednot really geeky at all... I must say you'll have to take my word on it. On Thu, Sep 9, 2010 at 1:36 AM, wrote: > Christian Sciberras wrote: > MS issued a patch quite some time ago. >> http://support.microsoft.com/kb/2264107 > > That is not a "patch", not installed by default: is only for > uber-geeks who manually install it. Was issued a week ago, in > response to this kerfuffle, not "quite some time ago". > > Which setting of CWDIllegalInDllSearch did you choose: was it > 0x which may be "safe", but is known to break Outlook > (and others), as noted in > > DLL hijacking vulnerabilities > http://isc.sans.edu/diary.html?storyid=9445 > > (geeks can add further tweaks to the registry to fix). > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Christian Sciberras wrote: >>> MS issued a patch quite some time ago. > http://support.microsoft.com/kb/2264107 That is not a "patch", not installed by default: is only for uber-geeks who manually install it. Was issued a week ago, in response to this kerfuffle, not "quite some time ago". Which setting of CWDIllegalInDllSearch did you choose: was it 0x which may be "safe", but is known to break Outlook (and others), as noted in DLL hijacking vulnerabilities http://isc.sans.edu/diary.html?storyid=9445 (geeks can add further tweaks to the registry to fix). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
http://support.microsoft.com/kb/2264107 That is installed both in my win7 64bit workstation system and the 32bit XP Pro (virtualized) system. For the matter, that POC never worked on my PC, at least their initial implementation was always flawed. (speaking of which, did they really have to fail it when my own POC, written under an hour, worked perfectly?) If you still think my POC was wrong, please do try it and highlight what is wrong with it. Though I take no offense in no one trying it - it was more of personal satisfaction than real use, hence it being written in Lazarus. Cheers, Chris. On Thu, Sep 9, 2010 at 12:00 AM, wrote: > Christian Sciberras wrote: > >> MS issued a patch quite some time ago. > > Would you be able to give a reference to that patch, and comment on > its relationship to the recent > > Microsoft Security Advisory (2269637) > Insecure Library Loading Could Allow Remote Code Execution > http://www.microsoft.com/technet/security/advisory/2269637.mspx > > ? > >> This "vulnerability" is no more on all of MS's OSes ... >> I ... tested ... the vulnerability didn't work). > > May I suggest that you tested wrong: I followed > > Online Binary Planting Exposure Test > http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076293.html > > and it "worked" for me, on my patched-to-the-limit WinXP. > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Christian Sciberras wrote: > MS issued a patch quite some time ago. Would you be able to give a reference to that patch, and comment on its relationship to the recent Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/2269637.mspx ? > This "vulnerability" is no more on all of MS's OSes ... > I ... tested ... the vulnerability didn't work). May I suggest that you tested wrong: I followed Online Binary Planting Exposure Test http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076293.html and it "worked" for me, on my patched-to-the-limit WinXP. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> Do you mean that the practical solution would be for MS to set > sensible defaults? It took them many years for SafeDllSearchMode, > expect just as many for CWDIllegalInDllSearch. Did you read my email about real-world testing of this issue? MS issued a patch quite some time ago. This "vulnerability" is no more on all of MS's OSes (due to the several replies to that email, I also tested it on XP Pro SP3 + patched...the vulnerability didn't work). > In the meantime, let us get all apps fixed. Sure, fix them all up, be my guest. See you in 2 years' time. > Or install Ubuntu. Perhaps you would be intrigued to know that an issue, which shares this same concept, also applies to Linux. Well, actually it ain't Linux's fault. It is the fault of most scripting applications' out there (batch, php, asp and probably python ruby sh etc, and of course, all applications that use them). And this time it can't be easily fixed. That said, since I consider the underlying risk well beyond useless, I won't even bother arguing about this (so don't bother asking). Cheers, Chris. On Wed, Sep 8, 2010 at 11:13 PM, wrote: > Christian Sciberras wrote: > >> ... the approach to fixing it is not practical ... >> ... it is [the fault of] the underlying dll loading mechanism. > > Do you mean that the practical solution would be for MS to set > sensible defaults? It took them many years for SafeDllSearchMode, > expect just as many for CWDIllegalInDllSearch. > > In the meantime, let us get all apps fixed. Or install Ubuntu. > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Christian Sciberras wrote: > ... the approach to fixing it is not practical ... > ... it is [the fault of] the underlying dll loading mechanism. Do you mean that the practical solution would be for MS to set sensible defaults? It took them many years for SafeDllSearchMode, expect just as many for CWDIllegalInDllSearch. In the meantime, let us get all apps fixed. Or install Ubuntu. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
So you might then add another pass of making a hash after the details of transaction are known that embodies transaction details, then use oblivious transfer again so that each end knows that the transaction was done and was thus accepted? Takes care of someone taking over the transaction perhaps, and this could bind in the initial data so the password exchange might be rechecked. In the first step though, there is a reliance by the client that the server uniquely knows the password, as it seems. If many servers know that password, at best the client knows the server is one of those that know it. If something at the client end fiddles with the transaction, the above kind of signing only says that the client end is consistent, does not ensure the user at that end actually has anything to do with those bits. At any rate, for such a thing to work you want something better than the usual "12345" kind of password, and to overcome things like the reported 73% of the population who use the same password for everything. This use of oblivious transfer though, giving mutual proof, is a useful primitive. Glenn Everhart -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Wednesday, September 08, 2010 1:07 PM To: YGN Ethical Hacker Group Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll) With the recent MS update/patch and my POC failure (to exploit the vuln), it is clear that this type of "vulnerability" is impractical. In the (few) cases where it *might* work, the approach to fixing it is not practical; that is, there are hundreds if not thousands, of vulnerable applications. Just consider that DWM (as in above) is loaded via well known and widely used API. If that ain't proof enough, see what they did with mshtml in Notepad. Whichever the case, it is not the application's fault, but the underlying dll loading mechanism. Having each vulnerable application's developer fixing it is hardly practical, thus, your (and other related) reports are, mildly put, a huge waste of time. Cheers, Chris. On Wed, Sep 8, 2010 at 10:36 AM, YGN Ethical Hacker Group wrote: > A vulnerability is a vulnerability. > A SQL Injection is a type of Vulnerability. > For each type of Vulnerability, there will be thousands of web > applications that might be vulnerable to it. > DLL Hijacking is same. > > We do each post rather than a list so that security vulnerability news > site can get required detailed information > as possible. > > If you don't want it, set filter for each post subject with "DLL > Hijacking" or from our email. > > We can't underestimate such an easy flaw that leads to system > compromise or command execution under user' privilege. > > Disabling remote share/WebDav is not a solution to DLL Hijacking at all. > > DLL Hijacking is highly effective in combination with the use of > Social Engineering Toolkit. > > > > > On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras wrote: >> I'm getting a bit tired of throwing away these "security advisories". >> >> Really, someone should install a whole load of popular applications, ensure >> any of them load their own files, and finally, thanks to a mass dependency >> check, ensure DWM is being loaded at runtime. >> >> At least, it would be just one email/thread to trash. >> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
With the recent MS update/patch and my POC failure (to exploit the vuln), it is clear that this type of "vulnerability" is impractical. In the (few) cases where it *might* work, the approach to fixing it is not practical; that is, there are hundreds if not thousands, of vulnerable applications. Just consider that DWM (as in above) is loaded via well known and widely used API. If that ain't proof enough, see what they did with mshtml in Notepad. Whichever the case, it is not the application's fault, but the underlying dll loading mechanism. Having each vulnerable application's developer fixing it is hardly practical, thus, your (and other related) reports are, mildly put, a huge waste of time. Cheers, Chris. On Wed, Sep 8, 2010 at 10:36 AM, YGN Ethical Hacker Group wrote: > A vulnerability is a vulnerability. > A SQL Injection is a type of Vulnerability. > For each type of Vulnerability, there will be thousands of web > applications that might be vulnerable to it. > DLL Hijacking is same. > > We do each post rather than a list so that security vulnerability news > site can get required detailed information > as possible. > > If you don't want it, set filter for each post subject with "DLL > Hijacking" or from our email. > > We can't underestimate such an easy flaw that leads to system > compromise or command execution under user' privilege. > > Disabling remote share/WebDav is not a solution to DLL Hijacking at all. > > DLL Hijacking is highly effective in combination with the use of > Social Engineering Toolkit. > > > > > On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras wrote: >> I'm getting a bit tired of throwing away these "security advisories". >> >> Really, someone should install a whole load of popular applications, ensure >> any of them load their own files, and finally, thanks to a mass dependency >> check, ensure DWM is being loaded at runtime. >> >> At least, it would be just one email/thread to trash. >> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
A vulnerability is a vulnerability. A SQL Injection is a type of Vulnerability. For each type of Vulnerability, there will be thousands of web applications that might be vulnerable to it. DLL Hijacking is same. We do each post rather than a list so that security vulnerability news site can get required detailed information as possible. If you don't want it, set filter for each post subject with "DLL Hijacking" or from our email. We can't underestimate such an easy flaw that leads to system compromise or command execution under user' privilege. Disabling remote share/WebDav is not a solution to DLL Hijacking at all. DLL Hijacking is highly effective in combination with the use of Social Engineering Toolkit. On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras wrote: > I'm getting a bit tired of throwing away these "security advisories". > > Really, someone should install a whole load of popular applications, ensure > any of them load their own files, and finally, thanks to a mass dependency > check, ensure DWM is being loaded at runtime. > > At least, it would be just one email/thread to trash. > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Be patient. It won't last for too long. Even if you're tired of it, those who've been using it for creating botnets love to see it. On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras wrote: > I'm getting a bit tired of throwing away these "security advisories". > > Really, someone should install a whole load of popular applications, ensure > any of them load their own files, and finally, thanks to a mass dependency > check, ensure DWM is being loaded at runtime. > > At least, it would be just one email/thread to trash. > > > > > > On Tue, Sep 7, 2010 at 8:23 AM, Dan Kaminsky wrote: >> >> So, what's the security model around .ygwx files? >> >> On Tue, Sep 7, 2010 at 1:57 AM, YGN Ethical Hacker Group >> wrote: >>> >>> The fixed version KeePass 2.13 has been released. >>> >>> http://keepass.info/news/n100906_2.13.html >>> >>> But failure to describe "DLL Hijacking was fixed". >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
I'm getting a bit tired of throwing away these "security advisories". Really, someone should install a whole load of popular applications, ensure any of them load their own files, and finally, thanks to a mass dependency check, ensure DWM is being loaded at runtime. At least, it would be just one email/thread to trash. On Tue, Sep 7, 2010 at 8:23 AM, Dan Kaminsky wrote: > So, what's the security model around .ygwx files? > > > On Tue, Sep 7, 2010 at 1:57 AM, YGN Ethical Hacker Group > wrote: > >> The fixed version KeePass 2.13 has been released. >> >> http://keepass.info/news/n100906_2.13.html >> >> But failure to describe "DLL Hijacking was fixed". >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
excuse me, kdbx. same difference On Tue, Sep 7, 2010 at 2:23 AM, Dan Kaminsky wrote: > So, what's the security model around .ygwx files? > > > On Tue, Sep 7, 2010 at 1:57 AM, YGN Ethical Hacker Group > wrote: > >> The fixed version KeePass 2.13 has been released. >> >> http://keepass.info/news/n100906_2.13.html >> >> But failure to describe "DLL Hijacking was fixed". >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
So, what's the security model around .ygwx files? On Tue, Sep 7, 2010 at 1:57 AM, YGN Ethical Hacker Group wrote: > The fixed version KeePass 2.13 has been released. > > http://keepass.info/news/n100906_2.13.html > > But failure to describe "DLL Hijacking was fixed". > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
The fixed version KeePass 2.13 has been released. http://keepass.info/news/n100906_2.13.html But failure to describe "DLL Hijacking was fixed". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
