[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
- To: cybseclabs@xxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
- From: paul.szabo@xxxxxxxxxxxxx
- Date: Mon, 5 Sep 2011 08:54:46 +1000
> Application: wscript.exe
> Extensions: js, jse, vbe, vbs, wsf, wsh
> Library: wshesn.dll
Many people commented that the above extensions are "executable"
already, so are (should be) treated with caution, or that they
can be trojaned directly without any DLL load shenanigans.
However... looking at
http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
I do not see JS listed as executable, though JSE is listed.
Looking at
http://msdn.microsoft.com/en-us/library/ms722429.aspx
I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
machine, none of the above extensions are "designated".
Maybe DLL hijacking is useful for some of these file types, after all?
Cheers, Paul
Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/