Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)

[jf <jf@xxxxxxxxx>]

> > I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
> > with latest windows updates applied (as of Today -sept 09 2010).
> Could be a virus/trojan from my XP machine might have caused some form
> of immunity against this issue?
> And perhaps my extensive meddling and customization somehow modify the
> Windows 7 install beyond normal limits?
> I very much doubt this. I used both bitness demos for what it's worth.
> 

I can confirm the demo worked as expected; first shot on an up-to-date 
auto-patched win7 box.
That said, I did a quick search to see if I had a local copy of wab32res.dll 
(dunno what the dll in the subject line is about, the DLL in question is 
wab32res.dll), and I did not. I wrote a quick DLL with a simple MessageBoxA() 
into the Windows directory and tested it again and got a pop up informing me I 
am about to import an address book (versus their lolhacked popup). If I had to 
take a stab at it, judging by this comment:

> One last thing, rather than just running a random POC I've actually
> looked into what's going on, via Process Monitor, and as far as it's
> concerned, it always loaded the correct (ie, the original) dlls.

my guess would be that one of you has a copy of the DLL in the DLL search path 
(which *doesnt* include . until the second to last stage by default), and one 
of you does not. 

..De asini vmbra disceptare.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/