[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Insecure call to CreateProcess()/CreateProcessAsUser()
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Insecure call to CreateProcess()/CreateProcessAsUser()
- From: "Charles Morris" <cmorris@xxxxxxxxxx>
- Date: Sun, 21 May 2006 08:02:10 -0700
Microsoft Explorer (iexplore.exe) calls CreateProcess() with
lpApplicationName = NULL. Instead, the lpCommandLine variable is used.
Unfortunateally, if the lpCommandLine variable is not quoted properly, the
function will attempt to load&execute multiple other applications in
the following fashion:
lpCommandLine = C:\Program Files\Google\Google Talk\googletalk.exe
Will attempt to execute:
C:\Program.exe
C:\Program Files\Google\Google.exe
C:\Program Files\Google\Google Talk\googletalk.exe
If Microsoft Hyperterminal is set up to be your default telnet client,
this behavior is known to be triggered from the web with a telnet:// style link.
Microsoft was notified, they told me it was a "non issue", that they
coulden't reproduce it, and basically "dont worry about it". or
something. Unfortunateally although explorer.exe warns a user when the
file "C:\Program.exe" exists, it does not check any other paths,
therefore it is not nearly a sufficient workaround.
--
Charles Morris
cmorris@xxxxxxxxxx
Network Administrator
CS Systems Group Old Dominion University
http://15037760514/~cmorris
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/