Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive

[Charles Morris <cmorris@xxxxxxxxxx>]

On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
>
>
>
>
> On Aug 31, 2010, at 2:20 PM, Charles Morris <cmorris@xxxxxxxxxx> wrote:
>
>> On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
>>
>>>
>>> Again, the clicker can't differentiate word (the document) from word (the
>>> executable).  The clicker also can't differentiate word (the document)
>>> from
>>> word (the code equivalent script).
>>>
>>> The security model people keep presuming exists, doesn't.
>>>
>>> Even the situation whereby a dll is dropped into a directory of documents
>>> --
>>> the closest to a real exploit path there is -- all those docs can be
>>> repacked into executables.
>>>
>>
>> What?
>>
>> I can differentiate my coolProposal.doc from msword.exe just fine..
>>
>
> Uh huh. Here, let me go ahead and create 2010 Quarterly Numbers.ppt.exe with
> a changed icon, and see what you notice.
>

Mr. Szabo has already slapped your wrist for such undeserved arrogance.

And yeah, I find it a joke that you think that ".ppt.exe" isn't pretty
damn obvious.

I might have fell for that when I was 9, but I haven't had a problem
with a windows box in years.

I will admit, at 3AM when I've been working for 18 hours and awake for
36, it is possible that I may double-click
such a malicious file and then immediately think "OH shit" and rebuild.

I know what we can do, we can repackage the "Hey watch out for badguys
masquerading as innocent files"
that everybody already knows about, contact CERT and negotiate a fix
between major vendors (Hey this isn't just a MS vulnerability
right??), then give a talk at blackhat to establish our fame, but now
that I think about it.. that would be rude to the people who have been
complaining about this since 1999.

>
>> If your statement is that the windows defaults should be changed,
>> including the "hide extensions" default, then I wholeheartedly agree
>> as I detailed in my first post. It's the first thing I turn off.
>>
>> Many people who think the same way have considered that a
>> vulnerability in windows for years, I wouldn't consider it part of
>> the "DLL Hijacking" fiasco.
>
> Imagine if the browser lock meant arbitrary code could run.
>
> I find your faith in small collections of pixels hilarious.
>

Imagine if the keyboard LED meant arbitrary code could run!!

What? I don't even understand what you are getting at. This has
nothing to do with faith in icons.

My statement was that windows defaults arguably represent a
vulnerability in the GUI
by making "proposal.doc" indistinguishable from "proposal.doc.exe with
a crafted icon",
when you are encouraged to double-click the icons through the GUI, and
when "doc" files
are supposed to be innocent to open. I was also stating the fact that
this vulnerability
should be addressed outside of the scope of the "DLL Hijacking" mess.

Cheers,
Charles

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/