[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [Full-disclosure] Insecure call to CreateProcess()/CreateProcessAsUser()
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re[2]: [Full-disclosure] Insecure call to CreateProcess()/CreateProcessAsUser()
- From: Thierry Zoller <Thierry@xxxxxxxxx>
- Date: Sun, 21 May 2006 19:24:48 +0200
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title></title>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Style-Type" content="text/css">
<style type="text/css"><!--
body {
margin: 5px 5px 5px 5px;
background-color: #ffffff;
}
/* ========== Text Styles ========== */
hr { color: #000000}
body, table /* Normal text */
{
font-size: 9pt;
font-family: 'Courier New';
font-style: normal;
font-weight: normal;
color: #000000;
text-decoration: none;
}
span.rvts1 /* Heading */
{
font-size: 10pt;
font-family: 'Arial';
font-weight: bold;
color: #0000ff;
}
span.rvts2 /* Subheading */
{
font-size: 10pt;
font-family: 'Arial';
font-weight: bold;
color: #000080;
}
span.rvts3 /* Keywords */
{
font-size: 10pt;
font-family: 'Arial';
font-style: italic;
color: #800000;
}
a.rvts4, span.rvts4 /* Jump 1 */
{
font-size: 10pt;
font-family: 'Arial';
color: #008000;
text-decoration: underline;
}
a.rvts5, span.rvts5 /* Jump 2 */
{
font-size: 10pt;
font-family: 'Arial';
color: #008000;
text-decoration: underline;
}
span.rvts6
{
font-size: 11pt;
font-family: 'tahoma';
font-weight: bold;
color: #ffffff;
}
span.rvts7
{
font-size: 11pt;
font-family: 'tahoma';
font-style: italic;
}
span.rvts8
{
font-size: 11pt;
font-family: 'tahoma';
}
a.rvts9, span.rvts9
{
font-size: 11pt;
font-family: 'tahoma';
color: #0000ff;
text-decoration: underline;
}
span.rvts10
{
font-size: 11pt;
font-family: 'tahoma';
font-weight: bold;
}
span.rvts11
{
font-size: 8pt;
font-family: 'arial';
font-style: italic;
color: #c0c0c0;
}
a.rvts12, span.rvts12
{
font-size: 8pt;
font-family: 'arial';
color: #0000ff;
text-decoration: underline;
}
/* ========== Para Styles ========== */
p,ul,ol /* Paragraph Style */
{
text-align: left;
text-indent: 0px;
padding: 0px 0px 0px 0px;
margin: 0px 0px 0px 0px;
}
.rvps1 /* Centered */
{
text-align: center;
}
--></style>
</head>
<body>
<p>Dear Andres Tarasco,</p>
<p><br></p>
<p><span class=rvts8>>I can see only one real attack scenario,
unprivileged access to a Windows with FAT file system or incorrect
acls</span></p>
<p><span class=rvts8>> that allows you to store c:\telnet.exe file.
Anyway under that scenario , you should be able to trigger better attacks
;-) </span></p>
<p><br></p>
<p>Windows 2000 per default allows users to write to c:\</p>
<p><br></p>
<p>PS. I have seen malware dropping another encrypted copy to C:\program.exe,
whenever an appplication calls</p>
<p>a createprocess unsafely it gets excecuted.</p>
<p><br></p>
<p><br></p>
<p><br></p>
<p><span class=rvts11>-- </span></p>
<p><a class=rvts12
href="http://secdev.zoller.lu";>http://secdev.zoller.lu</a></p>
<p><span class=rvts11>Thierry Zoller</span></p>
<p><span class=rvts11>Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3
75DD 0AC6 F1C7</span></p>
</body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/